Exclusion Support
The inputs for File Exclusions, Behavioral Scan Exclusions, Traffic Scan Exclusions, Anti-Phishing Exclusions, and Device Control Exclusions are listed in the Configuration tab under the Anti-Malware Profile tab. Toggle the exclusion type to exclude it from the scan.
Objects in Exclusions
The exclusion has any of the following object types:
-
File: Specify only the specific filename.
-
Extension: Specify the objects that have the specified extension.
File extensions are case-sensitive, and files with the same name but different extensions are considered distinct objects. For example, file.txt is different from file .TXT.
-
Folder: Specify all files and processes within the specified folder and all its sub-folders.
-
Process: Objects accessed by the excluded process.
-
File Hash: The file with the specified SHA-256 hash format.
-
Certificate Hash: All the Windows applications and PowerShell scripts under the specified certificate hash, Thumbprint in SHA-1 and SHA-2 format.
-
Threat Name: Objects having a detection name. This is not available for Linux operating systems.
-
Command Line: Available only for Windows.
-
IP: Specify the IP addresses (0-255 format) for which inbound and outbound traffic will be excluded from scanning.
File Scan Exclusions
Enable the File Exclusions toggle and select the Type from the drop-down to exclude the File Exclusion types. Select the option from the Modules drop-down to exclude the type from the On Demand or On Access scan.
In the following File Exclusions screenshot, the `exe` Extension is excluded for On Demand and On Access scans:
For the Type cmdline, copy the Arguments and the Full Path from the Parent Process section of the Event Details under the Events tab. The copied Arguments and Full Path should be pasted in the Command Line to be Executed field. The following screenshot is an example of the Type cmdline:
The following table lists the information of each Type that can be excluded using the File Exclusions option:
| Type | Value | Description | Expandable Variable Support | Wildcard Support | Examples |
|
file |
the absolute path of the file |
excludes from the scanning a specific file |
Yes |
Yes |
C:\*\text.txt |
|
folder |
the absolute path of the folder |
excludes from the scanning a particular folder and its content recursively |
Yes |
Yes |
%programdata%\*\folder\ |
|
extension |
the extension name |
excludes from scanning all files that have a specific extension |
No |
No |
exe |
|
process (only for OnAccess Scan) |
the absolute file path of an executable file |
excludes from the scanning a process by its path |
Yes |
Yes |
%windir%\*.exe |
|
cmdline (only for OnAccess Scan) |
the absolute path file path of an executable file followed by the arguments |
excludes from scanning a process by its command line. Use this exclusion to avoid detections when the process is started with this command line |
No |
No |
c:\test.exe param1 param2 |
|
sha256 |
the sha256 hash value of the file |
excludes a file using its sha256 hash. The exclusion is evaluated after detection has occurred and, thus, should not be used for performance reason |
No |
No |
e2ec4xxxxxx88caxxxxxxebe8cxxxxa86d3xxxxxx4f1b1 |
|
thumbprint |
the hash of the certificate with which the file is signed with |
excludes a file using the certificates' thumbprint. The exclusion is evaluated after detection has occurred. It thus should not be used for performance reason |
No |
No |
a3eccb1xxxxxxxxx5f02cxxxxxxxecbc4f79 |
|
threatName |
the threatName reported in a previous detection |
excludes a file using the name of the threat reported in earlier detection. The exclusion is evaluated after detection and thus should not be used for performance reason |
No |
No |
BAT.Trojan.Test.Z |
Sample JSON
File Scan Exclusion .JSON
{
"fileexclusion": {
"ondemand": {
"file": [
"name.txt",
"C:\\*\\text.txt"
],
"folder": [
"/drivestore",
"%programdata%\\*\\folder\\"
],
"extension": [
" "
],
"sha256": [
"746xxxxxxf3axxxxxfbc5cbe5b9d48d0xxxxxx6175"
],
"thumbprint": [
"529xxxxx98527886E0Fxxxxxx69857D2ExxxxxE7"
],
"threatname": [
"trojan horse"
]
},
"onaccess": {
"file": [
"name.txt",
"C:\\*\\text.txt"
],
"folder": [
"/drivestore",
"%programdata%\\*\\folder\\"
],
"extension": [
"testing.exe"
],
"process": [
"abc.exe"
],
"cmdline": [
"explorer.exe"
],
"sha256": [
"bnf124"
],
"thumbprint": [
"c7d688cbxxxxx5ee4f48xxxxx880537835f"
],
"threatname": [
"trojan horse"
]
}
}
}
Behavioral Scan Exclusions
To exclude the Behavioral Scan Exclusion types, enable the Behavioral Scan Exclusions toggle and select the Type from the drop-down. Alternatively, you can upload a .JSON file up to 2 MB.
In the following Behavioral Scan Exclusion screenshot, the `chrome.exe` Extension as the Process type is excluded:
The following table lists the information of each Type that can be excluded using the Behavioral Scan Exclusions:
| Type | Value | Description | Expandable Variable Support | Wildcard Support | Examples |
|
folder |
the absolute path of the folder |
excludes from monitoring every process that has the image path located in the folder specified (or sub-folder recursively) |
Yes |
Yes |
%programdata%\*\test |
|
process |
the absolute path of the executable folder |
excludes from monitoring the process with this image path |
Yes |
Yes |
%windir%\app*.exe |
|
cmdline |
the absolute file path of an executable file followed by the arguments |
excludes from monitoring the process if started with this command line |
No |
No |
C:\app.exe param1 |
|
sha256 |
the sha256 hash value of the file |
excludes from monitoring the process with this hash of its image file |
No |
No |
e2ec4xxxxxx88caxxxxxxebe8cxxxxa86d3xxxxxx4f1b1 |
|
threatName |
the threatName reported in a previous code-buffers detection |
ignores the remediation actions if a code-buffer detection has this threat name |
No |
No |
EICAR.Test |
Sample JSON
Behavioral Scan Exclusion .JSON
{
"behaviour": {
"folder": [
"/drivestore",
"/Phones/ABC/123",
"%programdata%\\*\\test"
],
"process": [
"abc.exe",
"%windir%\\app*.exe"
],
"cmdline": [
"explorer.exe"
],
"sha256": [ "746dxxxx3a0b0xxxxxxxxbc5cbe5b9d48dxxxxxxxeeedf8be6c8b34b5"
],
"threatname": [
"trojan9horse"
]
}
}
Network Protection Exclusion
To exclude the Network Protection Exclusion types, enable the Network Protection Exclusion toggle and select the Type from the drop-down. In the following Network Protection Exclusion screenshot, the `10.x.x.x` IP Address as the Process type is excluded:
| Type | Description | Wildcard Support | Examples |
|
IP Address |
the list of the remote IP and IP/MASK addresses. |
Yes |
10.10.xx.xx |
|
URL |
the list of URLs |
Yes |
http://*qualys |
|
Application |
the list of host application names, excluding the path |
Yes |
*qualys*.exe |
If you are using Qualys IP Scanner, add it to the allowed list of the Network Scan Exclusions and add the IP address in the IP type.
Sample JSON
Network Protection Exclusion .JSON
{
"networkProtection": {
"ip": [
"1.2.3.4"
],
"url": [
"https://example.intranet.abc.com/browse/test"
],
"app": [
"explorer.exe"
]
}
}
Web Access Control Exclusion
Toggle the Web Access Control Exclusion to allow or block any websites. Perform the following steps to create Web Access Control Exclusion:
- In the Web Address text field, enter the URL. To allow or block websites, including all its domain, you use the wildcard character *. For example, you can add the URL www.amazon to block Amazon and all its locales.*
- In the Actions drop-down menu, select Allow or Block.
-
Click Add.
The following screenshot is an example of Web Access Control Exclusion that displays a block and allow websites:
Network Protection Exclusion .JSON
{
"networkProtection": {
"ip": [
"1.2.3.4"
],
"url": [
"https://example.intranet.abc.com/browse/test"
],
"app": [
"explorer.exe"
]
}
}
Device Control Exclusions
Toggle the Device Control Exclusions from the Exclusions option. Perform the following steps to create Device Control Exclusions:
- Click Add New Exclusion to exclude the device.
- In the Create Exclusion window, provide the details in the mandatory fields.
- Choose Rule Mode as Manual or Auto.
- Manual Rule Mode: Enter the list of Device IDs.
- Auto Rule Mode: Click the
and select the Device Id or Product Id. Click Search. Click Add to include the devices. All the added devices will be listed in the Exclusions.
The following screenshot displays the Device Control Exclusion window:
If you select Product ID, all devices with the same Product ID will be excluded.
- Choose to Allow or Block the specified devices.
- Click Create.
The following screenshot displays the list of exclusions based on Device Id, Product Id, or Product Name:
Preconfigured Database Paths for Optimal Performance
We have preconfigured commonly used database paths to prevent potential CPU spikes during scans and ensure smoother performance without disruptions.
| MongoDB | C:\Program Files\MongoDB\Server*\data* C:\data\db* /var/lib/mongodb/* /data/db/* |
| Cassandra | C:\Program Files\DataStax Community*\data* C:\Program Files\Cassandra*\data* /var/lib/cassandra/* /var/lib/cassandra/data/* /usr/local/cassandra/* /usr/local/cassandra/* |
| MySQL | C:\Program Files\MySQL*\data* C:\ProgramData\MySQL\MySQL Server *\data* /var/lib/mysql/* /var/lib/mysql-files/* /var/lib/mysql-keyring/* |
| PostgreSQL | C:\Program Files\PostgreSQL*\data* /var/lib/postgresql/* /var/lib/pgsql/* |
| Microsoft SQL Server | C:\Program Files\Microsoft SQL Server*\MSSQL\DATA* C:\Program Files\Microsoft SQL Server*\MSSQL\Log* /var/opt/mssql/data/* /var/opt/mssql/log/* |
| SQLite | /var/db/sqlite/* /usr/local/var/db/sqlite/* /path/to/your/sqlite/dbs/*.db |
| Oracle Database | C:\app*\oradata* /u01/app/oracle/oradata/* /opt/oracle/oradata/* |
| Redis | C:\Program Files\Redis*\data* /var/lib/redis/* /var/db/redis/* |
| MariaDB | C:\Program Files\MariaDB *\data* /var/lib/mysql/* /var/lib/mariadb/* /usr/local/mysql/data/* |
| IBM Db2 | C:\Program Files\IBM\SQLLIB*\db2inst1\NODE0000* /home/db2inst1/db2inst1/NODE0000/* /opt/ibm/db2/V*/NODE0000/* |