Exclusions and when to use them
The following table provides a description of each type of exclusion and general guidance about when and how to use them appropriately.
Description and example
Policy safe list (File Actions)
The policy safe list is specified in the
File Actionstab in a device policy.
When a device policy is assigned to a device, the device is allowed to run files that are specified in the policy safe list. The policy safe list is applied at the policy level for specific devices whereas the global safe list or quarantine list is applied at the global level for all devices. The policy safe list takes precedence over the global quarantine list. A file that is added to the policy safe list is allowed to run on any device that is assigned the policy, even if that file is in the global quarantine list, which blocks files from running on all devices.
Example: You frequently use privilege escalation tools like PSEXEC to perform your daily tasks. You do not want other users to have the same ability, and you want to prevent them from using such tools without impacting your own daily duties. To do this, you can add PSEXEC to the global quarantine list and add the same file hash to your policy safe list. Then you ensure that only you and other authorized users are assigned to that particular device policy where you added PSEXEC to the safe list. The result is that all users that are not assigned to the device policy will have PSEXEC quarantined, but users that are assigned to the device policy are able to use it.
Exclude executable or macro files (Memory Protection)
Exclusions for the memory protection policy are specified in the
Memory Actionstab in a device policy when
Memory Protectionis enabled. When you specify exclusions for memory protection, the agent ignores violations of specific types from each specific application. In other words, you avoid blocking or terminating an application when it performs an action that causes a violation of a certain type.
When memory protection is enabled, the agent monitors application processes for specific actions that they perform. If a process performs a particular action that the agent is monitoring for, such as an LSASS read, the agent reacts to that action according to the device policy. Sometimes false positives occur and memory protection blocks an action that an application tried to perform, or terminates the application completely. In this situation, you can specify exclusions for memory protection so that certain applications are exempt from specific violation types and can run as intended without being blocked or terminated.
Example: Your organization blocks all memory protection violations from all applications by default. You use Test.exe frequently and you understand that it has legitimate reasons for LSASS read violations only. You can add an exclusion so that the agent ignores only LSASS read violations from Test.exe. The agent still blocks Test.exe when a violation of any other type occurs.
Memory protection exclusions use relative paths (drive letters are not required) and can be specified down to the executable level. For example:
It is not recommended to specify an exclusion at the executable level without a relative path. For example, if an exclusion is set for
\Test.exe, a malicious file with the same name would be allowed to run from any folder on the device.
Exclude specific folders (Protection Settings)
Exclusions for background threat detection are specified in the
Protection Settingstab in a device policy when
Background Threat Detectionis enabled. This may be known as directory whitelisting or directory safelisting. When a directory is excluded, the agent ignores any files in that directory during a scan, including any sub-folders.
If you select
Allow Execution, the agent ignores any executables that are launched from the excluded directories.
Example: An application developer in your organization uses a directory (for example,
C:\DevFiles\Temp) to store temporary files that are generated during compilation. The agent scans these files, considers them to be unsafe due to various characteristics found in them, and subsequently quarantines them. The developer submits a request to whitelist the temporary directory. You can add the
C:\DevFiles\Tempdirectory so that the temporary files are ignored and the developer can perform their work.
Folder exclusions (Script Control)
Exclusions for the script control policy are specified in the
Script Controltab in a device policy when
Script Controlis enabled. You can add exclusions when you want to allow scripts to run in a specified directory. When adding script control exclusions, specify the relative paths. Subfolders are also included in the exclusion.
Example: An IT administrator is attempting to run a script located in
C:\Scripts\Subfolder\Test. The script is blocked by script control every time the IT administrator attempts to run it. To allow the script to run, you can add one of the following relative paths as an exclusion to the script control policy: