Best Practices for Exclusions

06/19/2020 3 3089

DESCRIPTION:

When you make a path exclusion, we highly recommend that you add the exclusion to the smallest relevant scope of endpoints - a specific group. For example, do not add exclusions to the default policy of the default group. Create a group of endpoints that use the application to exclude.

RESOLUTION:

These rules apply to path (file and folder) exclusions for all versions:

You cannot put more than one exclusion path in one exclusion. AND, OR are not supported in exclusions.
If you can exclude a hash, it is safest. Be aware that it will exclude only the specific version of a process and not all processes of this name.
If you can exclude specific files rather than a path, that is safer. If an exploit inserts malware to an excluded path, we cannot protect the endpoints.
The exclusion modes show from the highest level of security to the least secure. Use the most secure exclusion mode that resolves your issue.
Environment variables are not supported. For example: Change: %appdata% To: C:\Users\Bob\AppData\Roaming\
Or use the * wildcard to match all users: C:\Users\*\AppData\Roaming\
Regular expressions are not supported.
For Interoperability and Performance Focus exclusions (formerly Do not Monitor or Do not Inject): For processes that cannot be restarted, such as System processes or Anti-virus processes, you must reboot endpoints to apply or remove an exclusion. For processes that can be restarted, such as a browser, you can restart the process to apply or remove an exclusion. Best Practice: We recommend that you restart all affected endpoints to apply or remove an Interoperability or Performance Focus exclusion.
If you make an exclusion for an AppStacked application or snapvolume, use the folder SVROOT for the mount. For example: Change: C:\Program Files (x86)\Click\check.exe To: *\SVROOT\Program Files (x86)\Click\check.exe to exclude C:\snapvolumes\{GUID}\SVROOT\Program Files (x86)\Click\check.exe
Exclusions for Windows and macOS are NOT case sensitive. Exclusions for Linux are case sensitive.

Exclusion rules for Windows:

The path can start with the drive letter. If the drive is not included, the exclusion applies to all drives. For example:

C:\calc.exe excludes CALC on the root of the C drive.
calc.exe excludes CALC on all directories and drives.

If you select Include Subfolders, the path must end with a backslash (\).
DO NOT USE a wildcard as the drive directory ( *: or ?: ).
For example, do NOT use *:\Program Files or ?:\Program Files in an exclusion path. Instead, use *\Program Files to exclude Program Files on all drives.
You CAN use the wildcard * to refer to any character or characters, or the metacharacter ? to refer to one character that is NOT a drive letter.
- Examples with wildcard * to refer to any character or characters:
  C:\c*c.exe excludes files that start with “c” and end with “c.exe” on all directories and drives. This includes CALC.EXE, CAMC.EXE, CHARLIE.DOC.EXE
  Example to exclude the Archives folder in a nested directory: C:\*\Archives\
  Example to exclude Go2Meeting for all users: C:\Users\*\AppData\Local\GoToMeeting\*\g2mlauncher.exe
- Example with metacharacter ? to refer to one character:
  You CAN use: C:\test?\ to exclude C:\test1\ and C:\testf\.
  Example to exclude a temp directory in all drives: harddiskvolume?\temp\
  DO NOT USE ? as the drive letter. For example, do NOT use ?:\test1\ in an exclusion path.

Exclusion rules for Linux and macOS:

The path must be absolute: start with a forward slash ( / - ASCII char 47).
The path must not have a space in the start or end.
If you select Include Subfolders, the path must end with a forward slash.
Linux - Wildcards are not supported in Linux Agent versions 2.6 and earlier. They are supported in 3.0 and later, in the same manner as with the Windows Agent.
macOS - The * wildcard is supported in path exclusions.
For example:
- /Users/*/Applications/<NAME>.app/ excludes all users and app subfolders
- /Users/?*/Desktop/<NAME>.app/ excludes all users and app subfolders and their subfolders
- /Users/<USER>/Desktop/<NAME>.app/* excludes all files in this path.

Capture Cloud Platform

Federal

Partner Portal

Support Portal

Capture Cloud Platform

Federal

Partner Portal

Support Portal

Best Practices for Exclusions

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Not Finding Your Answer?

Stay In Touch

Best Practices for Exclusions

Categories

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Not Finding Your Answer?

Stay In Touch