Use wildcards in script control exclusions Skip Navigation

Use wildcards in script control exclusions

With agent 1490 and later, you can use “*” as a wildcard in a script control exclusion. The wildcard can exclude a folder or a script.
Using script control exclusions with wildcards should reduce the number of alerts displayed in your console. By allowing the exclusion of full or partial script names, you do not need to exclude an entire folder. By allowing the exclusion of partial script names, you can exclude a portion of the script name that is common for a group of scripts they want to exclude.
While using wildcards provides flexibility in allowing exclusions, it can also lower your security stance if the exclusion is too broad. For example, excluding the entire \Windows\Temp folder is not recommended. However, if a program or file you trust puts a script in the \Windows\Temp folder and
CylancePROTECT Desktop
blocks it, you can use a wildcard as part of the file name to exclude that script.
Things to know about wildcard support
Item
Description
Unix-style slashes
Wildcard exclusions must use Unix-style slashes for
Windows
systems.
Example: /windows/system*/*.
Regular expressions
Wildcard exclusions use regular expressions (regex).
Supported wildcard characters
The only token support for wildcards is *.
Folder exclusions
Wildcard exclusions give you the flexibility to exclusively allow the script or macro file, as long as there is a * at any given path per examples below. Note that this does not apply to Access databases.
Folder exclusions with a wildcard must have a wildcard at the end of the path to differentiate between a folder and a file.
  • Folder exclusion: /windows/system32/*
  • Folder exclusion: /windows/*/test/*
  • Folder exclusion: /windows/system32/test*/*
File exclusions
File exclusions with a wildcard must have a file extension to differentiate between a file and a folder.
  • File exclusion: /windows/system32/*.vbs
  • File exclusion: /windows/system32/script*.vbs
  • File exclusion: /windows/system32/*/script.vbs
  • One wildcard per level.
    • So /folder/*/script.vbs matches \folder\test\script.vbs or \folder\exclude\script.vbs but does not work for \folder\test\001\script.vbs. This would require either /folder/*/001/script.vbs or /folder/*/*/script.vbs.
    • The wildcard would need to persist down per level to where the script resides.
    • Two or more wildcards per level are not allowed. For example, /*/folder/*file*.ext is not allowed.
Process exclusions
Process exclusions with a wildcard must have a file extension to differentiate between a file and a folder.
Add the name of the process regardless of the directory
  • Local drive: /my*.exe
  • Network drive: //my*.exe
    Wildcard exclusions must use Unix-style slashes for Windows systems, such as /my*.exe.
Add a process from a directory
  • Local drive: /directory/child/my*.exe
  • Network drive: //directory/child/my*.exe
    Wildcard exclusions must use Unix-style slashes for Windows systems, such as /directory/child/my*.exe.
Full and partial exclusions
Wildcards support full and partial exclusions.
  • Example - Full wildcard: /folder/*/script.vbs
  • Example - Partial wildcard: /folder/test*/script.vbs
Relative paths
If you can identify a common relative path, you can exclude Universal Naming Convention (UNC) paths with a wildcard.
  • Example: For devices with names of DC01 – DC24, you could use /dc*/path/to/script/
Network paths
Network paths can also be excluded:
  • //hostname/application/*
  • //host*/application/*
  • //*name/*/application/*
  • //hostname/*