To create an exclusion, perform the following procedure.

Important: Be as specific as possible when creating an exclusion and adding attributes. If an exclusion is too broad, you can lose more visibility than necessary and malicious activity might not be detected or blocked.

Up to 10 processes can be specified per exclusion and up to 100 exclusions can be enforced per policy.

In general, an exclusion applies to existing, running processes and any new process that starts after the exclusion was created. However, there can be edge cases in which an exclusion cannot be applied to an existing, running process.

Procedure

  1. On the left navigation pane, click Enforce > Policies.
  2. Select the policy.
  3. Select the Sensor tab.
  4. Scroll down to the Event Reporting & Sensor Operation Exclusions management table.
    Event Reporting and Sensor Operation Exclusions management table
  5. To add an exclusion, click the Add Exclusion button.
  6. Select a process type:
    • Parent process
    • Process
  7. Specify certificate information, command line content, file path, and/or SHA256 hash.
    Note:
    • You can use multiple attributes to allow for more granular exclusions.
    • When specifying Path, we recommend that you specify the full file path of the process executable file because malicious actors can imitate the file name of a trusted process. However, wildcards can be used to more efficiently specify a process executable file that exists in numerous directories.
    • For guidance using wildcards to the Certificate, CMD, or Path fields, see Exclusions Wildcard Guidelines and Examples.
    • For syntax guidelines and examples, see Exclusions Syntax Guidelines and Examples.
    Attribute Description
    Certificate Specify the certificate authority and publisher attributes of the process. If the certificate authority or publisher changes, you must update the exclusion accordingly.
    CMD Specify the command line content that the process executes.
    Path Specify the file path of the executable file associated with the process. Limit the use of wildcards to keep the exclusion narrow.
    SHA256 Specify the SHA256 hash of the executable file that is associated with the process.

  8. For an Event Reporting Exclusion, select the event types to exclude from reporting: All event types or Selected event types:
    • Crossprocs (cross-process events)
    • Filemods (file modification events)
    • Modloads (module load events)
    • Regmods (registry modification events)
    • Netconns (network connection events)
    Note: To maintain accurate reporting of process lineage, childprocs (child process events) cannot be excluded.
  9. Select Apply exclusion to descendant processes if you want the exclusion to be inherited by descendant processes.
    Note: If this setting is enabled, the exclusion is inherited by child processes, their child processes, and so on.
  10. (Optional) Add a Note to the exclusion.
  11. Click Next, review the exclusion, and then click Save.