search cancel

WSS common application bypasses


Article ID: 222807


Updated On:


Web Security Service - WSS


The WSS Agent provides the ability to add web application executables to a WSS Agent bypass list.

Use Case—Connection Errors

  • Some clients with WSS Agent might not connect to web applications through WSS. The issue is prevalent when WSS is integrated with CloudSOC for CASB inspections.
  • A common lost connection cause is when a thick client pins a certificate. The connection breaks when WSS inserts its SSL certificate. Dropbox is a prominent thick-client example of this use case.
  • Furthermore, when WSS encounters this issue, it is not able to display response messages to the requesting clients. Nor are any error codes returned. The end user's perspective is that the application is not working, which then instigates support calls and troubleshooting.
  • WSS bypasses or blocks connections from the thick app (for example—Dropbox), but the website (for example— is susceptible to defined WSS policies (content, malware, DLP).

Connections on macOS Big Sur

  • On macOS 11. x (Big Sur), VPN and meeting software might experience connections issues when a network extension such as WSS Agent is installed. You can bypass these applications.

Use Case—Strategic Bypass

Bypass applications (such as a VPN client) to negate having to bypass VPN and SAML IP addresses.

General Rules

  • Prefer using wildcards to entering in multiple distinct paths.
  • For macOS, you should double-asterisk (**) wildcard everything past the .app or .systemextension you are trying to bypass.
  • For Windows, you should double-asterisk (**) wildcard everything within the installation directory to cover all binaries for that application.
  • Group all the paths and certificates for an application in a single "Executable Bypass" in the portal.  You can safely combine both Windows and macOS configurations into a single application.
  • On macOS Big Sur, network extensions get staged into the /Library/SystemExtensions/<OS-DEFINED-HASH>/ directory.  You will need to use a single asterisk (*) to match the OS-defined hash value.
    When entering in paths and certificates to the portal, do not wrap in quotes or try to escape spaces.  Enter the values exactly as provided.

See WSS Agent—Bypass Applications for more information


Application List

The following tables can be used to determine a set of application bypasses suitable for that app.  The paths and certificates will include all locations on both macOS and Windows for the applications.

  • To bypass applications on macOS Big Sur, you should be running WSSA 7.3.5 or later.
  • Any applications downloaded from the macOS App Store will be signed by Apple Mac OS Application Signing.  The tables below only include the certificate information for standalone installers.
  • For applications on macOS with a space in their path, certificate validation will only work if running WSSA 7.4.1 or later. To run these bypasses on macOS with WSSA 7.3.x, you will need to select the "None" validation in the WSS portal.
  • Only information from the latest versions of the applications is listed below.  Older versions may install in different locations and/or have different certificates.


VPN Applications


Application Paths Certificates
Palo Alto GlobalProtect
  • /Applications/**
  • /Library/SystemExtensions/*/com.paloaltonetworks.GlobalProtect.client.extension.systemextension/**
  • C:\Program Files\Palo Alto Networks\GlobalProtect\**
  • Developer ID Application: Palo Alto Networks (PXPZ95SK77)
  • Palo Alto Networks
Cisco AnyConnect
  • /Applications/Cisco/Cisco AnyConnect Secure Mobility**
  • /Library/SystemExtensions/*/**
  • C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\**
  • Developer ID Application: Cisco (DE8Y96K9QP)
  • Cisco Systems, Inc.
Pulse Secure
  • /Applications/Pulse**
  • /Library/Application Support/Pulse Secure/**
  • /Library/SystemExtensions/*/net.pulsesecure.firewall.systemextension.systemextension/**
  • C:\Program Files (x86)\Pulse Secure\**
  • C:\Program Files (x86)\Common Files\Pulse Secure\**
  • Developer ID Application: Pulse Secure LLC (3M2L5SNZL8)
  • Pulse Secure, LLC


Video Conferencing Applications


Application Paths Certificates
Cisco Webex
  • /Applications/Cisco Webex**
  • /Users/*/Library/Application Support/WebEx Folder/*/Meeting**
  • C:\Users\*\AppData\Local\WebEx\**
  • Developer ID Application: Cisco (DE8Y96K9QP)
  • Cisco WebEx LLC
Microsoft Teams
  • /Applications/Microsoft**
  • C:\Users\*\AppData\Local\Microsoft\Teams\**
  • Developer ID Application: Microsoft Corporation (UBF8T346G9)
  • Microsoft Corporation
  • /Applications/**
  • C:\Users\*\AppData\Roaming\Zoom\**
  • Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)
  • Zoom Video Communications, Inc.


Messaging Applications


Application Paths Certificates
  • /Applications/**
  • C:\Users\*\AppData\**\signal-desktop\Signal.exe
  • Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)
  • Signal Messenger, LLC
  • /Applications/**
  • C:\Users\*\AppData\Local\slack\**
  • Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)
  • Slack Technologies, Inc.


Windows 10 multi-session

Reference documentation:

Application Paths Certificates
Windows 10 Multi-session Agents
  • C:\Packages\Plugins\Microsoft.Azure.NetworkWatcher.NetworkWatcherAgentWindows\*\NetworkWatcherAgent\NetworkWatcherAgent.exe
  • C:\WindowsAzure\Packages\GuestAgent\WindowsAzureGuestAgent.exe
  • C:\WindowsAzure\Packages\WaAppAgent.exe
  • Microsoft Corporation
  • Microsoft Windows