Exclusion Support

The inputs for File Exclusions, Behavioral Scan Exclusions, Traffic Scan Exclusions, Anti-Phishing Exclusions, and Device Control Exclusions are listed in the Configuration tab under the Anti-Malware Profile tab. Toggle the exclusion type to exclude it from the scan.

This section includes the following list of Types that can be selected to exclude from the scans:

 

File Exclusions

To exclude the File Exclusion types, enable the File Exclusions toggle and select the Type from the drop-down. To exclude the type from the On Demand or On Access scan you can select the option from the Modules drop-down.

In the following File Exclusions screenshot, `exe` Extension is excluded for On Demand and On Access scans:

Example screenshot of File Exclision.

For the Type cmdline, copy the Arguments and the Full Path from the Parent Process section of the Event Details under the Events tab. The copied Arguments and Full Path should be pasted in the Command Line to be Executed field. The following screenshot is an example of the Type cmdline:

The following table lists the information of each Type that can be excluded using the File Exclusions option:

Type Value Description Expandable Variable Support Wildcard Support Examples

file

the absolute path of the file

excludes from the scanning a specific file

Yes

Yes

C:\*\text.txt

folder

the absolute path of the folder

excludes from the scanning a particular folder and its content recursively

Yes

Yes

%programdata%\*\folder\

extension

the extension name

excludes from scanning all files that have a specific extension

No

No

exe

process (only for OnAccess Scan)

the absolute file path of an executable file

excludes from the scanning a process by its path

Yes

Yes

%windir%\*.exe

cmdline (only for OnAccess Scan)

the absolute path file path of an executable file followed by the arguments

excludes from scanning a process by its command line. Use this exclusion to avoid detections when the process is started with this command line

No

No

c:\test.exe param1 param2

sha256

the sha256 hash value of the file

excludes a file using its sha256 hash. The exclusion is evaluated after detection has occurred and, thus not be used for performance reason

No

No

e2ec4xxxxxx88caxxxxxxebe8cxxxxa86d3xxxxxx4f1b1

thumbprint

the hash of the certificate which the file is signed with

excludes a file using the thumbprint of the certificate. The exclusion is evaluated after detection has occurred. It thus should not be used for performance reason

No

No

a3eccb1xxxxxxxxx5f02cxxxxxxxecbc4f79

threatName

the threatName reported in a previous detection

excludes a file using the name of the threat reported in earlier detection. The exclusion is evaluated after detection and thus should not be used for performance reason

No

No

BAT.Trojan.Test.Z

Behavioral Scan Exclusions

To exclude the Behavioral Scan Exclusion types, enable the Behavioral Scan Exclusions toggle and select the Type from the drop-down. In the following Behavioral Scan Exclusion screenshot, `chrome.exe` Extension as the Process type is excluded:

Example screenshot of Behaviroal Scan Exclusion.

The following table lists the information of each Type that can be excluded using the Behavioral Scan Exclusions: 

Type Value Description Expandable Variable Support Wildcard Support Examples

folder

the absolute path of the folder

excludes from monitoring every process that has the image path located in the folder specified (or sub-folder recursively)

Yes

Yes

%programdata%\*\test

process

the absolute path of the executable folder

excludes from monitoring the process with this image path

Yes

Yes

%windir%\app*.exe

cmdline

the absolute file path of an executable file followed by the arguments

excludes from monitoring the process if started with this command line

No

No

C:\app.exe param1

sha256

the sha256 hash value of the file

excludes from monitoring the process with this hash of its image file

No

No

e2ec4xxxxxx88caxxxxxxebe8cxxxxa86d3xxxxxx4f1b1

threatName

the threatName reported in a previous code-buffers detection

ignores the remediation actions if a code-buffer detection has this threat name

No

No

EICAR.Test

Traffic Scan Exclusions

To exclude the Traffic Scan Exclusion types, enable the Traffic Scan Exclusions toggle and select the Type from the drop-down. In the following Traffic Scan Exclusion screenshot, `10.x.x.x` IP Address as the Process type is excluded:

Example screenshot of Traffic Scan Exclusions.

Type Description Wildcard Support Examples

IP Address

the list of the remote IP, IP/MASK addresses.

Yes

10.10.xx.xx

URL

the list of URLs

Yes

http://*qualys

Application

the list of host application name, excluding the path

Yes

*qualys*.exe

If you are using Qualys IP Scanner, ensure you add it in the allow list of the Traffic Scan Exclusions and add the IP address in the IP type. 

Anti-Phishing Exclusions

Type Description Wildcard Support

URL

the list of URLs

No

Device Control Exclusions

Toggle the Device Control Exclusions from the Exclusions option. Perform the following steps to create Device Control Exclusions:

  1. Click Add New Exclusion to exclude the device.
  2. In the Create Exclusion window, provide the details in the mandatory fields.
  3. Choose Rule Mode as Manual or Auto.
    • Manual Rule Mode: Enter the list of Device IDs.
    • Auto Rule Mode: Click the add icon to select Device Id or Product Id. and select the Device Id or Product Id. Click Search. Click Add to include the devices. All the added devices will be listed in the Exclusions.

    The following screenshot displays the Device Control Exclusion window:

    Device Control Support exclusion window

    If you select Product ID, all devices having the same Product Id will be excluded. 

  4. Choose to Allow or Block the specified devices.
  5. Click Create.

    The following screenshot displays the list of exclusions based on Device Id, Product Id, or Product Name:

    List of exclusions in the Exclusion step of Anti-Malware Profile Configuration.