Exclusions tell Secure Endpoint not to scan, flag, or convict activity originating from certain directories, file extensions, or threat names, to name a few. These can be used to resolve conflicts with other security products or mitigate performance issues by excluding directories containing large files that are frequently written to (such as databases).
Within the Secure Endpoint console there are two categories of exclusions: Cisco-Maintained and Custom. This KB's purpose is to provide assistance with Custom exclusions. Cisco-Maintained exclusions are created and maintained only by Cisco, should you wish to add any of their exclusions to your policies, please contact cybersecurity@cio.wisc.edu.
Additional exclusion resources:
See Cisco's Best Practices for AMP Exclusions and Configuring and Managing Exclusions in Secure Endpoint documents for more information regarding creating exclusions, exclusion formatting, and finding files to exclude.
Custom Exclusion Types Available:
Threat: Threat exclusion let you exclude a particular threat name from triggering events. You should only ever use a Threat exclusion if you are certain that the events are the result of a false-positive detection. In that case, use the exact threat name from the event as your Threat exclusion.
Example: W32.Zombies.NotAVirus
Path: Path exclusions are the most frequently used, as application conflicts usually involve excluding a directory you do not wish to be scanned. These exclusions can be especially helpful in reducing Secure Endpoint's CPU load when paired with Process - File Scan exclusions. You can create a path exclusion using an absolute path or the CSIDL. You cannot use wildcards or variables such as %windir% with CSIDLs, and CSIDLs are case sensitive.
Example: CSIDL_PROGRAM_FILES\MyAntivirusAppDirectory
File Extension: File extension exclusions allow you to exclude all files with a certain extension. For example, you might want to exclude all Microsoft Access database files by creating the following exclusion: .mdb
Wildcard: Wildcard exclusions are the same as path or extension exclusions except that you can use an asterisk(*) character as a wild card. Do NOT begin an exclusion with a wildcard, this will degrade performance greatly. Instead, use the "Apply to all drive letters" checkbox.
Example: C:\*\BigFix Enterprise\BES Client\BESClient.exe
Executable (Windows Only): Executable exclusions exclude certain executables from being protected by Exploit Prevention. It is recommended to use and executable exclusion only when you are experiencing problems or performance issues. This exclusion type is case sensitive, the name must match the executable exactly, wildcards are not supported.
IOC (Windows Only): IOC exclusions allow you to exclude Cloud Indications of Compromise. This can be useful if you have a custom or internal application that may not be signed and frequently alerts IOCs. Only exclude IOCs if you experience a large number of false-positive detection's for it. The console provides a list of indicators allowing you to select which to exclude via dropdown.
Process - File Scan (Windows Only): Process - File Scan exclusions stop Secure Endpoint from scanning a specific process and all the files it writes and modifies. This can be an incredibly useful tool for reducing Secure Endpoint's CPU load on machines in your environment, especially if you know of benign programs Secure Endpoint is scanning that don't need to be scanned. Programs that benefit the most from this exclusion are generally high Input/Output processes, like endpoint management software (BigFix). Input the exact file path to the program you wish to exclude for the exclusion to apply correctly.
Process - Malicious Activity (Windows Only): Process - Malicious Activity exclusions stop Secure Endpoint from interfering with a program that triggers Secure Endpoint's "Malicious Activity" conviction mode. This is normally applicable to programs that perform encryption and/or might look like ransomware according to Secure Endpoint's heuristics. Input the exact file path to the program you wish to exclude for the exclusion to apply correctly.
Process - System Process (Windows Only): Process - System Process exclusions stop Secure Endpoint from interfering with a specific program that triggers Secure Endpoint's "System Process Protection" conviction mode. This is normally applicable to programs that interact with critical Windows processes and may appear to be interfering or injecting malicious/unwanted code according to Secure Endpoint's heuristics. For example, Spirion (Identity Finder), can sometimes trigger System Process Protection alerts, despite being a benign process. Input the exact file path to the program you wish to exclude for the exclusion to apply correctly.
Process - Behavioral Protection (Windows Only): Process - Behavioral Protection exclusions stop Secure Endpoint from interfering with specific processes that trigger Secure Endpoint's "Behavioral Protection" conviction mode. This is normally applicable to programs that make registry entries or run commands that are commonly associated with "lay of the land" attacks (attacks using pre-existing tools like Powershell rather than actual malware). Input the exact file path to the program you wish to exclude for the exclusion to apply correctly.
Adding exclusions to an existing exclusion set:
Adding more than one exclusion at a time:
Creating a new exclusion set:
Applying an exclusion set to a policy:
Additional exclusion resources:
See Cisco's Best Practices for AMP Exclusions and Configuring and Managing Exclusions in Secure Endpoint documents for more information regarding creating exclusions, exclusion formatting, and finding files to exclude.
Allowed Applications (Greenlists) are used to stop Secure Endpoint from quarantining a specific file. Allow listing can be useful if Secure Endpoint incorrectly flags and quarantines a benign file. Please note: upon ANY change to the specific file added to an allow list, the SHA-256 of the file will change and subsequently need to be updated within the Allow List to continue excluding.
Allow listing files directly from the events tab:
It is possible to allow list an item from the Analysis module in Secure Endpoint. If a file that you know to be safe frequently appears as suspicious or malicious in the events tab, this is a good candidate for allow listing. To allow list using this method, do the following:
Allow listing files from outbreak control