Hash Exclusion

Exclude a file based on its SHA1 hash. You must have the SHA1 hash to create the exclusion.

Hash exclusions operate in Alert mode and will only suppress Alerts and Threat Mitigation

Best Practice: Whenever possible:

  • use Hash exclusion for things like False/Positives
  • use Path exclusions in Interoperability mode for interoperability issues

To add a hash exclusion manually:

  1. Open the EDR Policy where the Hash exclusion is to be added
  2. Navigate to the Exclusions tab
  3. Click New Exclusion
  4. In the Exclusion Type drop-down, select Hash
  5. Select the Operating System that the exclusion applies to from the OS drop-down menu
  6. In the Description field, enter a phrase to make it easy for you to identify this exclusion
  7. Click Save

To add an exclusion automatically after threat analysis:

  1. In the left Nav menu, select Analyze
  2. Click a threat to open the Incident details
  3. In the header of the Incident details that open, click Actions and select Add To Exclusions
  4. In the New Exclusions window that opens, Hash usually shows as the Exclusion Type - If not you can select it
  5. If Hash does not show as an option, it is not available for this threat

    The OS, Hash, Scope, and Description are taken automatically from the threat

    Best Practice: Keep all exclusions on the narrowest scope possible

  6. Click Save