Exclusion Support
The inputs for File Exclusions, Behavioral Scan Exclusions, Traffic Scan Exclusions, Anti-Phishing Exclusions, and Device Control Exclusions are listed in the Configuration tab under the Anti-Malware Profile tab. Toggle the exclusion type to exclude it from the scan.
This section includes the following list of Types that can be selected to exclude from the scans:
File Scan Exclusions
To exclude the File Exclusion types, enable the File Exclusions toggle and select the Type from the drop-down. To exclude the type from the On Demand or On Access scan you can select the option from the Modules drop-down.
In the following File Exclusions screenshot, `exe` Extension is excluded for On Demand and On Access scans:
For the Type cmdline, copy the Arguments and the Full Path from the Parent Process section of the Event Details under the Events tab. The copied Arguments and Full Path should be pasted in the Command Line to be Executed field. The following screenshot is an example of the Type cmdline:
The following table lists the information of each Type that can be excluded using the File Exclusions option:
Type | Value | Description | Expandable Variable Support | Wildcard Support | Examples |
file |
the absolute path of the file |
excludes from the scanning a specific file |
Yes |
Yes |
C:\*\text.txt |
folder |
the absolute path of the folder |
excludes from the scanning a particular folder and its content recursively |
Yes |
Yes |
%programdata%\*\folder\ |
extension |
the extension name |
excludes from scanning all files that have a specific extension |
No |
No |
exe |
process (only for OnAccess Scan) |
the absolute file path of an executable file |
excludes from the scanning a process by its path |
Yes |
Yes |
%windir%\*.exe |
cmdline (only for OnAccess Scan) |
the absolute path file path of an executable file followed by the arguments |
excludes from scanning a process by its command line. Use this exclusion to avoid detections when the process is started with this command line |
No |
No |
c:\test.exe param1 param2 |
sha256 |
the sha256 hash value of the file |
excludes a file using its sha256 hash. The exclusion is evaluated after detection has occurred and, thus not be used for performance reason |
No |
No |
e2ec4xxxxxx88caxxxxxxebe8cxxxxa86d3xxxxxx4f1b1 |
thumbprint |
the hash of the certificate which the file is signed with |
excludes a file using the thumbprint of the certificate. The exclusion is evaluated after detection has occurred. It thus should not be used for performance reason |
No |
No |
a3eccb1xxxxxxxxx5f02cxxxxxxxecbc4f79 |
threatName |
the threatName reported in a previous detection |
excludes a file using the name of the threat reported in earlier detection. The exclusion is evaluated after detection and thus should not be used for performance reason |
No |
No |
BAT.Trojan.Test.Z |
Behavioral Scan Exclusions
To exclude the Behavioral Scan Exclusion types, enable the Behavioral Scan Exclusions toggle and select the Type from the drop-down. In the following Behavioral Scan Exclusion screenshot, `chrome.exe` Extension as the Process type is excluded:
The following table lists the information of each Type that can be excluded using the Behavioral Scan Exclusions:
Type | Value | Description | Expandable Variable Support | Wildcard Support | Examples |
folder |
the absolute path of the folder |
excludes from monitoring every process that has the image path located in the folder specified (or sub-folder recursively) |
Yes |
Yes |
%programdata%\*\test |
process |
the absolute path of the executable folder |
excludes from monitoring the process with this image path |
Yes |
Yes |
%windir%\app*.exe |
cmdline |
the absolute file path of an executable file followed by the arguments |
excludes from monitoring the process if started with this command line |
No |
No |
C:\app.exe param1 |
sha256 |
the sha256 hash value of the file |
excludes from monitoring the process with this hash of its image file |
No |
No |
e2ec4xxxxxx88caxxxxxxebe8cxxxxa86d3xxxxxx4f1b1 |
threatName |
the threatName reported in a previous code-buffers detection |
ignores the remediation actions if a code-buffer detection has this threat name |
No |
No |
EICAR.Test |
Network Protection Exclusion
To exclude the Network Protection Exclusion types, enable the Network Protection Exclusion toggle and select the Type from the drop-down. In the following Network Protection Exclusion screenshot, `10.x.x.x` IP Address as the Process type is excluded:
Type | Description | Wildcard Support | Examples |
IP Address |
the list of the remote IP, IP/MASK addresses. |
Yes |
10.10.xx.xx |
URL |
the list of URLs |
Yes |
http://*qualys |
Application |
the list of host application name, excluding the path |
Yes |
*qualys*.exe |
If you are using Qualys IP Scanner, ensure you add it in the allow list of the Traffic Scan Exclusions and add the IP address in the IP type.
Web Access Control Exclusion
Toggle the Web Access Control Exclusion to allow or block any websites. Perform the following steps to create Web Access Control Exclusion:
- In the Web Address text field, enter the URL. To allow or block websites including all its domain, you use the wildcard character *. For example, to block Amazon and all its locales, you can add the URL as www.amazon.*
- In the Actions drop-down menu, select Allow or Block.
-
Click Add.
The following screenshot is an example of Web Access Control Exclusion that displays a block and allow websites:
Device Control Exclusions
Toggle the Device Control Exclusions from the Exclusions option. Perform the following steps to create Device Control Exclusions:
- Click Add New Exclusion to exclude the device.
- In the Create Exclusion window, provide the details in the mandatory fields.
- Choose Rule Mode as Manual or Auto.
- Manual Rule Mode: Enter the list of Device IDs.
- Auto Rule Mode: Click the and select the Device Id or Product Id. Click Search. Click Add to include the devices. All the added devices will be listed in the Exclusions.
The following screenshot displays the Device Control Exclusion window:
If you select Product ID, all devices having the same Product Id will be excluded.
- Choose to Allow or Block the specified devices.
- Click Create.
The following screenshot displays the list of exclusions based on Device Id, Product Id, or Product Name: