Best Practices for Exclusions

See also Not Recommended Exclusions

Best Practice: Whenever possible:

  • use Hash exclusion for things like False/Positives
  • use Path exclusions in Interoperability mode for interoperability issues

When you make a path exclusion, we highly recommend that you add the exclusion to the smallest relevant group of endpoints (the smallest group being an individual endpoint (device) using an EDR Policy. Groupings increase to a Site, then a Client, up to the largest group of endpoint type (Server or Workstation)

DO NOT add exclusions to the Default Group EDR Policy. If added, they cannot be amended or removed, and may be inherited by other EDR Policies inappropriately. Please contact support for assistance if this occurs.

  • You cannot put more than one exclusion path in an exclusion. 'AND' & 'OR' are not supported in exclusions
  • If you can exclude the hash, do so, as it is the safest method - Be aware that this will only exclude that specific version of the process and not all processes of the same name
  • If you can exclude specific files rather than a path, do so, as this is safer than a folderpath. If an exploit inserts malware to an excluded path, we cannot protect the endpoints.
  • The exclusion modes show from the highest level of security to the least secure - Use the most secure exclusion mode that resolves your issue
  • Environment variables are not supported - For example: Change: %appdata% To: C:\Users\Bob\AppData\Roaming\
  • Or use the * (asterisk) wildcard to match all users: C:\Users\*\AppData\Roaming\

  • Regular expressions are not supported
  • For Interoperability and Performance Focus exclusions (formerly Do not Monitor or Do not Inject): For processes that cannot be restarted, such as System processes or Anti-virus processes, you must reboot endpoints to apply or remove an exclusion. For processes that can be restarted, such as a browser, you can restart the process to apply or remove an exclusion.  
  • We recommend that you restart all affected endpoints to apply or remove an Interoperability or Performance Focus exclusion.

  • If you make an exclusion for an AppStacked application or snapvolume, use the folder SVROOT for the mount.
  • For example, to exclude C:\snapvolumes\{GUID}\SVROOT\Program Files (x86)\Click\check.exe

    Change: C:\Program Files (x86)\Click\check.exe

    To*\SVROOT\Program Files (x86)\Click\check.exe

  • Exclusions for Windows and macOS are NOT case sensitive. Exclusions for Linux are case sensitive.

Exclusion rules for Windows:

  • The path can start with the drive letter. If the drive is not included, the exclusion applies to all drives. For example:
    • C:\calc.exe excludes CALC on the root of the C drive
    • calc.exe excludes CALC on all directories and drives
  • If you select Include Subfolders, the path must end with a backslash (\).
  • DO NOT USE a wildcard as the drive directory ( *: or ?: )
  • For example, do NOT use *:\Program Files or ?:\Program Files in an exclusion path. Instead, use *\Program Files to exclude Program Files on all drives.

    You CAN use the wildcard * to refer to any character or characters, or the metacharacter ? to refer to one character that is NOT a drive letter.

    • Examples with wildcard * to refer to any character or characters: 
    • C:\c*c.exe excludes files that start with “c” and end with “c.exe” on all directories and drives. This includes CALC.EXE, CAMC.EXE, CHARLIE.DOC.EXE

      Example to exclude the Archives folder in a nested directory:  C:\*\Archives\ 

      Example to exclude Go2Meeting for all users: C:\Users\*\AppData\Local\GoToMeeting\*\g2mlauncher.exe

    • Example with metacharacter ? to refer to one character:
    • You CAN use:  C:\test?\  to exclude C:\test1\ and C:\testf\.

      Example to exclude a temp directory in all drives: harddiskvolume?\temp\

      DO NOT USE ? as the drive letter. For example, do NOT use ?:\test1\ in an exclusion path.