Exclusions Management
  • 19 Mar 2024
  • 2 Minutes to read
  • Dark
    Light
  • PDF

Exclusions Management

  • Dark
    Light
  • PDF

Article Summary

About this Article
This article provides information related to Exclusion List - Global and at the Profile-level. This list can be used to define the directories or files that do not require Host Protection.


Exclusion List

Exclusion List is the list of directories and files that need to be excluded from host protection. This can be defined at the global or profile level. 

  1. Once a file/directory is added to the exclusion list, all the current incidents related to this file/directory are automatically acknowledged. They are no longer visible as Incidents
  2. Both global and profile exclusion lists are considered while creating a new profile
  3. Normal regex syntax can be utilized to define the Exclusion List
    1. Instead of adding explicit spaces, it is recommended to use "[ ]+" so that one or more spaces can be matched instead of the exact number of spaces
    2. It is recommended that the Windows nativeimages libraries be added to the exclusion list using the regex: C:\\windows\\assembly\\nativeimages.* to avoid allowlisting each nativeimages library after incident detection
    3. Validate the regular expression on https://regex101.com/ before its addition on the CMS
    4. Some sample RegEx examples are provided in the below table:
RegEx ExampleRepresented Files/Directories
Windows
.:\\*test.*\\*tmp\\*.*C:\test-1\tmp\tmp-lib.dll
C:\test-2\tmp\tmp-lib-2.dll
D:\test-test\tmp\tmp-lib-3.dll
C:\\ProgramData\\Amazon\\SSM\\*.*C:\ProgramData\Amazon\SSM\example.exe
C:\\dir1\\tmp\\tmp-lib.dllSpecific file: C:\dir1\tmp\tmp-lib.dll
C:\\dir1\\dir2\\*.exeAll the files with extension .exe in the directory: C:\dir1\dir2
C:\\dir1\\dir2\\*All the files in the directory: C:\dir1\dir2
Linux
/opt/test/tmp.*/.*/opt/test/tmp-1/example
/opt/test/tmp-abc/example-2
/var/packages/.*cache.*/.*/var/packages/pkg-cache/program-1
/var/packages/publisher-cache/program-2
/opt/test/tmp-1/example.shSpecific file: /opt/test/tmp-1/example.sh
/home/user/*.logAll the files with extension .log in the directory: /home/user
/home/user/log/*All the files in the directory: /home/user/log


NOTE

[Version 3.0.0 and Above]
Whenever an entry is added to the exclusion list:

  1. Incidents related to it is auto-acknowledged
  2. Associated executables are no longer listed in the allowlist
  3. Associated process may remain in allowlist if there are any libraries or scripts associated with that it that are not eligible for removal


Global Exclusion List

This list is applicable to all the Host Profiles. To view or modify the Global Exclusion List, follow the below steps:

  1. On the Host Monitoring page, click ALL PROFILES > Exclusions List > Add Allowlist Exclusion
  2. In the pop-up window, add the regular expression that matches the directory path and press Enter. One entry can be added at a time. 
  3. Once the new entry is added to the list. Click SAVE
  4. The added entries can be deleted if required
  5. Once an entry is added to the exclusion list, the allowlist is automatically optimized to remove the entries


Profile-level Exclusion List

This list is applicable to a particular Host Profiles. To view or modify this List, follow the below steps:

  1. On the Host Monitoring page, click Edit for the required profile. Modify as required and click SAVE 
  2. for Versions 2.9 and Above: By default, some directories are added to both the lists – Exclusions For AllowList and Exclusions For Memory Exploit Protection. Do not alter them as that can affect normal VSP functioning
  3. Once an entry is added to the exclusion list, the allowlist is automatically optimized to remove the entries



Was this article helpful?