Best Practices for Capture Client Exclusions

This Article explains abut the best practices to be followed while creating exclusions for capture client

Best Practices for Exclusions:

• We cannot put more than one exclusion path in one exclusion (AND,OR). Must create a new exclusion for each item. 

• Excluding a hash would be the safest. Be aware that it will exclude only the specific version of a process and not all processes of this name.

• Excluding specific files rather than a path, that is safer. If an exploit inserts malware to an excluded path, we cannot protect the endpoints.

• While creating an exclusion for an AppStacked application or snapvolume, use the folder SVROOT for the mount. For example:  Change: C:\Program Files (x86)\Mozilla Firefox\firefox.exe To:  *:\SVROOT\Program Files (x86)\Mozilla Firefox\firefox.exe

  This exclusion will work on: C:\snapvolumes\{GUID}\SVROOT\Program FIles (x86)\Mozilla Firefox\firefox.exe

• Exclusion rules for Windows (with calc.exe for examples):

  • The path can start with the drive letter. If the drive is not included, the exclusion applies to all drives.

    - C:\calc.exe excludes CALC on the root of the C drive.

    - calc.exe excludes CALC on all directories and drives.

  • You can use wildcards.

    - C:\c*c.exe excludes files that start with “c” and end with “c.exe” on all directories and drives. This includes  CALC.EXE , CAMC.EXE CHARLIE.DOC.EXE

    Example to exclude the Archives folder:  C:\*\Archives\ 

    Example to exclude Go2Meeting for all users: C:\Users\*\AppData\Local\GoToMeeting\*\g2mlauncher.exe

• Exclusion rules for MacOS:

  • The path must be absolute: start with a forward slash ( / - ASCII char 47)

  • The path cannot contain a space in the beginning or end

  • If you select Include Subfolders, the path must end with a forward slash  (/).