Best Practices for Create Path-based Exclusions

03/26/2020 10 People found this article helpful 480,178 Views

This article provides a detailed overview on exclusion rules within Capture Client.

These rules apply to path (file and folder) exclusions for all versions:

You cannot put more than one exclusion path in one exclusion. AND, OR are not supported in exclusions.
If you can exclude a hash, it is safest. Be aware that it will exclude only the specific version of a process and not all processes of this name.
If you can exclude specific files rather than a path, that is safer. If an exploit inserts malware to an excluded path, we cannot protect the endpoints.
Environment variables are not supported. For example: Change: %appdata% To: C:\Users\Bob\AppData\Roaming\

Or use the * Wildcard to match all users: C:\Users\*\AppData\Roaming\
If you make an exclusion for an AppStacked application or snapvolume, use the folder SVROOT for the mount. For example: Change: C:\Program Files (x86)\Click\check.exe To: *\SVROOT\Program Files (x86)\Click\check.exe to exclude C:\snapvolumes\{GUID}\SVROOT\Program Files (x86)\Click\check.exe
Interoperability and Performance Focus exclusions are applied when the endpoint or excluded process is restarted.
Exclusions for Windows and macOS are NOT case sensitive. Exclusions for Linux are case sensitive.

Exclusion rules for Windows:

The path can start with the drive letter. If the drive is not included, the exclusion applies to all drives. For example:
- C:\calc.exe excludes CALC on the root of the C drive.
- calc.exe excludes CALC on all directories and drives.
DO NOT USE a wildcard as the drive directory ( *: or ?: ). For example, do NOT use *:\Program Files or ?:\Program Files in an exclusion path. Instead, use *\Program Files to exclude Program Files on all drives.
If you select Include Subfolders, the path must end with a backslash (\).
You can use wildcards, but NOT as the drive directory.
- Examples with wildcard * to refer to any character or characters:
  
  C:\c*c.exe excludes files that start with “c” and end with “c.exe” on all directories and drives. This includes CALC.EXE, CAMC.EXE, CHARLIE.DOC.EXE
  
  Example to exclude the Archives folder: C:\*\Archives\
  
  Example to exclude Go2Meeting for all users: C:\Users\*\AppData\Local\GoToMeeting\*\g2mlauncher.exe
  
  DO NOT USE *: (wildcard as the drive directory) to exclude folders. For example, do NOT use *:\Program Files in an exclusion path. Instead, use *\Program Files to exclude Program Files on all drives.
- Example with metacharacter ? to refer to one character:
  
  You CAN use: C:\test?\ to exclude C:\test1\ and C:\testf\.
  
  DO NOT USE ? as the drive letter. For example, do NOT use ?:\test1\ in an exclusion path.

Exclusion rules for macOS: