Path Exclusion

Best Practice: Whenever possible:

  • use Hash exclusion for things like False/Positives
  • use Path exclusions in Interoperability mode for interoperability issues

On this page:

The exclusion is limited to the EDR Policy are in when you create the exclusion.

To use all path exclusions correctly, make sure to see Best Practices for Exclusions

Important

Be careful! If you create incorrect exclusions, you can open your environment to malware.

If the root of a threat group is suppressed, events of the entire group (including sub-processes) for the child processes are also suppressed.

Consult with SolarWinds Support before you use No monitor or Interoperability or Performance exclusions.

Suppress Alerts Path Exclusions (Default)

Use default Path exclusions to suppress false positive alerts. When you exclude files or folders with default path exclusions, Agents monitor the files and processes but suppress alerts and do not mitigate detections. This also applies to detections in threat groups whose root process is in the excluded path or file.

  • When you create an exclusion directly from a detection and select File path, this is the type of exclusion created
  • By default, Suppressed All exclusions apply to alerts from all engines. You can set the Agent to suppress alerts from specified engines only:

    • DFI - Suppress alerts from the Deep File Inspection engine

    • Dynamic AI - Suppress alerts raised by DBT (Dynamic Behavioral Tracking), documents, scripts, lateral movement, anti exploitation/ fileless, and potentially unwanted applications engines

    • All engines (default) - Suppress all alerts

Caution: Make sure the detection that the exclusion is based on is a false positive. Legitimate threats in the path will not be mitigated

Interoperability and Performance Focus Exclusions (formerly No Monitor)

Interoperability or Performance Focus path exclusions are sometimes necessary to resolve issues with specific files or processes. With these exclusions, Agents reduce monitoring and mitigation of the excluded items.

Interoperability or Performance Focus exclusions have more risk than Suppress Alert exclusions because all operations that start from or use the excluded item are not fully visible to SW EDR Agents. This can affect mitigation if an excluded item is part of a malicious execution.

For Interoperability and Performance Focus exclusions (formerly Do not Monitor or Do not Inject): For processes that cannot be restarted, such as System processes or Anti-virus processes, you must reboot endpoints to apply or remove an exclusion. For processes that can be restarted, such as a browser, you can restart the process to apply or remove an exclusion.

Best Practice: We recommend that you restart all affected endpoints to apply or remove an Interoperability or Performance Focus exclusion.

Exclusion Modes in Detail

To maximize security, try to resolve interoperability or performance issues with the least severe option. Try the exclusion modes in the order shown. Use the Performance Focus options only if the Interoperability options do not resolve the issues.

  • Suppressed Alerts (default Path exclusion): Do not display alerts or mitigate detections on the excluded processes.
    • More info: If the root of a threat group is suppressed, alerts for the child processes are also suppressed.
    • Usage example: Stop false positives from a specific file or process.
    • Caution: Make sure the detection that the exclusion is based on is a false positive. Legitimate threats in the path will not be mitigated.
  • Interoperability: Reduce the monitoring level on the excluded processes, in addition to suppressing alerts.
    • This exclusion stops the Agent from injecting the Agent DLL to processes in the path. This reduces Agent interaction with these processes. The Agent continues to monitor and use kernel events.
    • Usage example: To solve interoperability issues related to the Agent code injection into other applications.
    • Caution: This lowers protection as it reduces events that the Agent monitors.
  • Interoperability - extended: Reduce the monitoring level on the excluded processes and their child-processes (Same as the Interoperability option but includes child-processes.)
    • Usage example: To solve interoperability issues related to the Agent code injection into other applications, when the Interoperability option did not resolve the issue.
  • Performance Focus: Disable monitoring of the excluded processes, in addition to suppressing alerts. 
    • More info:  It stops the Agent from injecting the Agent DLL to processes in the path and stops monitoring most kernel events. Agents do not use OS events that are generated by or for the excluded process.
    • Usage example: To solve issues where a specific application generates many events (such as file activity, registry, process, memory ) and causes a high CPU utilization on the endpoint, due to Agent event analysis.
    • Caution: This lowers protection significantly as the Agent does not monitor the excluded processes.
  • Performance Focus - extended: Disable monitoring of the excluded processes and their child-processes. (Same as the Performance Focus but includes child processes.)
  • Note: On Linux endpoints, when Performance Focus-extended exclusions are used, the Agent does not monitor File Events on the specified path. This is different behavior than this type of exclusion on the Windows Agent.

    • Usage example: To solve issues where a specific application generates many events due to Agent event analysis, when the Performance Focus option did not resolve the issue.

Agent Support for Exclusions

Exclusions Mode

Windows 4.x+

Suppressed Alerts Yes
Suppressed Alerts - DFI engine Yes
Suppressed Alerts - Dynamic AI engine Yes
Interoperability Yes
Interoperability - extended  
Performance Focus Yes
Performance Focus - extended Yes

To exclude a path from the Forensics details of a threat:

  1. In the RMM left Nav bar, select EDR > Analyze
  2. Click a threat to open the Incident details
  3. In the header of the Incident details that open, click Actions and select Add To Exclusions
  4. In the New Exclusions window that opens, if Path shows an Exclusion Type, select it -If Path does not show as an option that means it is not available for this threat
  5. The OS, Path, Scope, and Description are taken automatically from the threat

    Best Practice: Keep all exclusions on the narrowest scope possible

  6. Click Save

You can now see any Suppress alerts exclusion in EDR Policy > Exclusions > Path tab

To create a file or folder exclusion:

Note: See all rules for creating path exclusions in Best Practices for Exclusions

  1. Open the EDR Policy where an exclusion is to be added
  2. Navigate to the Exclusions tab
  3. In Exclusion Types menu on the left, select Path
  4. Click New Exclusion to open the New Exclusion dialog
  5. In OS, select the operating system for the exclusion.
  6. In Path, enter the full path to the folder, with the Best Practices for Exclusions
  7. Click Change to select As File or As Folder next to the path:
    • As File - Only the single file is excluded (default)

    • As Folder - The whole folder at the path is excluded and you can also opt to Include Subfolders

  8. Select the Exclusion Mode
  9. (Optional) In Description, enter the reason for the exclusion
  10. Click Save

For Interoperability and Performance Focus exclusions (formerly Do not Monitor or Do not Inject): For processes that cannot be restarted, such as System processes or Anti-virus processes, you must reboot endpoints to apply or remove an exclusion. For processes that can be restarted, such as a browser, you can restart the process to apply or remove an exclusion.

Best Practice: We recommend that you restart all affected endpoints to apply or remove an Interoperability or Performance Focus exclusion