Best Practices for Create Path-based Exclusions

Description

This article provides a detailed overview on exclusion rules within Capture Client.

 

These rules apply to path (file and folder) exclusions for all versions:

  • You cannot put more than one exclusion path in one exclusion. AND, OR are not supported in exclusions. 

  • If you can exclude a hash, it is safest. Be aware that it will exclude only the specific version of a process and not all processes of this name.

  • If you can exclude specific files rather than a path, that is safer. If an exploit inserts malware to an excluded path, we cannot protect the endpoints.

  • Environment variables are not supported. For example: Change: %appdata% To: C:\Users\Bob\AppData\Roaming\

    Or use the * Wildcard to match all users: C:\Users\*\AppData\Roaming\

  • If you make an exclusion for an AppStacked application or snapvolume, use the folder SVROOT for the mount. For example:  Change: C:\Program Files (x86)\Click\check.exe To:  *\SVROOT\Program Files (x86)\Click\check.exe to exclude C:\snapvolumes\{GUID}\SVROOT\Program Files (x86)\Click\check.exe

  • Interoperability and Performance Focus exclusions are applied when the endpoint or excluded process is restarted.

  • Exclusions for Windows and macOS are NOT case sensitive. Exclusions for Linux are case sensitive.

Exclusion rules for Windows:

  • The path can start with the drive letter. If the drive is not included, the exclusion applies to all drives. For example:

    • C:\calc.exe excludes CALC on the root of the C drive.

    • calc.exe excludes CALC on all directories and drives.

    DO NOT USE a wildcard as the drive directory ( *: or ?: ). For example, do NOT use *:\Program Files or ?:\Program Files in an exclusion path. Instead, use *\Program Files to exclude Program Files on all drives.

  • If you select Include Subfolders, the path must end with a backslash (\).

  • You can use wildcards, but NOT as the drive directory.

    • Examples with wildcard * to refer to any character or characters: 

      C:\c*c.exe excludes files that start with “c” and end with “c.exe” on all directories and drives. This includes CALC.EXE, CAMC.EXE, CHARLIE.DOC.EXE

      Example to exclude the Archives folder:  C:\*\Archives\ 

      Example to exclude Go2Meeting for all users: C:\Users\*\AppData\Local\GoToMeeting\*\g2mlauncher.exe

      DO NOT USE *: (wildcard as the drive directory) to exclude folders. For example, do NOT use *:\Program Files in an exclusion path. Instead, use *\Program Files to exclude Program Files on all drives.

    • Example with metacharacter ? to refer to one character:

      You CAN use:  C:\test?\  to exclude C:\test1\ and C:\testf\.

      DO NOT USE ? as the drive letter. For example, do NOT use ?:\test1\ in an exclusion path.

Exclusion rules for macOS:

  • The path must be absolute: start with a forward slash ( / - ASCII char 47).

  • The path must not contain a space in the beginning or end.

  • If you select Include Subfolders, the path must end with a forward slash.

  • macOS - The * wildcard is supported in path exclusions.

    For example:

    • /Users/*/Applications/<NAME>.app/ excludes all users and app subfolders

    • /Users/?*/Desktop/<NAME>.app/  excludes all users and app subfolders and their subfolders

    • /Users/<USER>/Desktop/<NAME>.app/*  excludes all files in this path.

Related Articles

  • ConnectWise Manage (Legacy) Integration - Frequently Asked Questions
    Read More
  • SentinelOne agent command line tool
    Read More
  • Capture Client Agent Return Codes - Phase 1
    Read More

Categories

Endpoint Security
Capture Client
Settings
not finding your answers?
Ask the Community
was this article helpful?
YesNo