The term "denylist" is not clearly defined in the Protection Profile. Test 3 implies that not all of the selections in the SFR are valid for testing and seemingly dictates a categorization methodology that is not defined. Test 4 describes an overview of the test but not a test, itself.

FMT_SMF.1/ENDPOINT in MOD_EDR_V1.0 is modified as follows, with text underlined and highlighted green indicating additions and text with strikethrough and red highlight indicating deletions:

Refinement: The EDR shall be capable of performing the following management functions:

Application Note: This requirement captures all the configuration functionality the TSF provides the administrator to configure the EDR. Both configurable lists mentioned in the table, above, are intended to match one another.

Chart legend: M = Mandatory, O = Optional, - = N/A

Tests 3 and 4 of FMT_SMF.1/ENDPOINT in MOD_EDR_V1.0-SD are modified as follows, with text underlined and highlighted green indicating additions and text with strikethrough and red highlight indicating deletions:

• Test 3: The evaluator shall use a file that triggers an incident alert to test the suppression of such alerts for that specific file. Upon confirming the creation of incident alerts on access to the file, the evaluator shall configure suppression of the alert for each available suppression denylist file or metadata characteristicselected suppression method (e.g. filenames) and verify that incident alerts are categorized as suppressed, hidden, unavailable, or never created, or similarly categorized. No specific category naming is required, but it should follow the general intent of the examples provided.
• Test 4: The evaluator shall attempt each function with each role and verify access conforms with the chart in the requirement.

Clarification of this SFR is required to ensure evaluations can test without issue.