Types Of Path Exclusions with Capture Client 1.5.12 or Later

03/26/2020 12 10254

DESCRIPTION:

This Article Explains about Modes of Exclusions supported with Capture Client 1.5.12 or later versions. 

"No Monitor Exclusion has been replaced with more granular exclusion modes for path exclusions"  

RESOLUTION:

Its suggested to use the least severe exclusion option to resolve interoperability or performance issues, and try the exclusion modes in the order shown. Use the Performance Focus options only if the Interoperability options do not resolve the issues.

Interoperability or Performance exclusions have more risk than regular exclusions because all operations that start from or use the excluded item are not fully visible to Capture Client, hence this can affect mitigation if an excluded item is part of a malicious execution. So please Contact SonicWALL Support before you use Interoperability or Performance exclusions

Following are the explanation of the different levels of interaction that the new console/agents have when creating exclusions:

ü Suppress Alerts (default Path exclusion): Do not display alerts or mitigate detections on the excluded processes.

Ø More info: If the root of a threat group is suppressed, alerts for the child processes are also suppressed.

Ø Usage example: Stop false positives from a specific file or process.

Ø Caution: Make sure the detection that the exclusion is based on is a false positive. Legitimate threats in the path will not be mitigated.

ü Interoperability: Reduce the monitoring level on the excluded processes.

Ø More Info:  This exclusion stops the Agent DLL from injecting to processes in the path. This reduces Agent interaction with these processes. The Agent continues to monitor and use kernel events.

Ø Usage example: To solve interoperability issues related to the Agent code injection into other applications.

Ø Caution: This lowers protection as it reduces events that the Agent monitors.

ü Interoperability - extended: Reduce the monitoring level on the excluded processes and their child-processes (Same as the Interoperability option but includes child-processes.

Ø Usage example: To solve interoperability issues related to the Agent code injection into other applications, when the Interoperability option did not resolve the issue.

ü Performance Focus: Disable monitoring of the excluded processes. 

Ø More info:  It stops the Threat Protection Engine DLL from injecting to processes in the path and stops monitoring most kernel events.   Agents do not use OS events that are generated by or for the excluded process.

Ø Usage example: To solve issues where a specific application generates many events (like file operation, registry, process, memory) and causes a high CPU utilization on the endpoint, due to Agent event analysis

Ø Caution: This lowers protection significantly as the Agent does not monitor the excluded processes.

ü Performance Focus - extended: Disable monitoring of the excluded processes and their child-processes. (Same as the Performance Focus but includes child processes.)

Ø Usage example: To solve issues where a specific application generates many events due to Agent event analysis, when the Performance Focus option did not resolve the issue.