Wildcards in script control exclusions Skip Navigation

# Wildcards in script control exclusions

You can use the asterisk (*) as a wildcard when specifying exclusions in the
Script Control
tab.
Using wildcards in script control exclusions reduces the number of alerts displayed in your console while allowing users to run certain scripts that match the exclusion path and filename. For example, you can exclude a specific script by using its full name, or you can use the wildcard to match a group of scripts that share a similar name.
Although the use of wildcards in exclusions provides flexibility, it can also lower your security stance if your exclusions are too broad. For example, avoid excluding entire folders such as
/windows/temp
. Instead, use a wildcard while specifying the full or partial filename of the script that you want to exclude (for example,
/windows/temp/myscript*.vbs
).
The following table describes the rules of script control exclusions:
Item
Description
Supported wildcard characters
Only the asterisk (*) is supported as a wildcard for script control exclusions.
The wildcard represents one or more characters.
Unix-style slashes
If you are using wildcards, exclusions must use Unix-style slashes (even for
Windows
systems).
Example:
/windows/system*/*
Folder exclusions
When you want to exclude a folder, the exclusion must have a wildcard at the end of the path to distinguish the exclusion as a folder (and not a file).
For example:
• /windows/system32/*
• /windows/*/test/*
• /windows/system32/test*/*
File exclusions
When you want to exclude a file, the exclusion must end with a file extension to distinguish the exclusion as a file (and not a folder). For example:
• /windows/system32/*.vbs
• /windows/system32/script*.vbs
• /windows/system32/*/script.vbs
• One wildcard per level.
• So /folder/*/script.vbs matches \folder\test\script.vbs or \folder\exclude\script.vbs but does not work for \folder\test\001\script.vbs. This would require either /folder/*/001/script.vbs or /folder/*/*/script.vbs.
• The wildcard would need to persist down per level to where the script resides.
• Two or more wildcards per level are not allowed. For example, /*/folder/*file*.ext is not allowed.
For each folder level, you can use one wildcard only.
• Example,
/*/folder/*file*.ext
is not allowed.
Each wildcard represents one folder level only. The number of folder levels represented in the exclusion must match the level of the file that you are trying to exclude.
• For example, if you are trying to exclude
\test\level1\level2\script.vbs
, use
/test/*/*/script.vbs
(not
/test/*/script.vbs
).
Process exclusions
Process exclusions with a wildcard must have a file extension to distinguish it as a process exclusion (and not a folder).
To specify a process regardless of the directory that it's in, refer to the following examples:
• /my*.exe
(local drive)
• //my*.exe
(network drive)
To specify a process that's in a specific directory, refer to the following examples:
• /directory/child/my*.exe
(local drive)
• //directory/child/my*.exe
(network drive)
Examples of full and partial matches in exclusions
Wildcards support full and partial exclusions.
• /folder/*/script.vbs
• /folder/test*/script.vbs
Absolute paths
Absolute paths are not supported in script control exclusions.
Relative paths
If you can identify a common relative path, you can exclude Universal Naming Convention (UNC) paths with a wildcard. For example, if you use device names in a path such as "DC01" to "DC24":
• /dc*/path/to/script/*
Network paths
Network paths can be excluded. For example:
• //hostname/application/*
• //host*/application/*
• //*name/*/application/*
• //hostname/*