Exclusions tell ThreatDown to skip specific files, folders, programs, websites, or registry keys during scans and real-time protection. Use them when:
- A trusted application is being flagged or blocked
- Two security programs are interfering with each other and slowing down a system
- A trusted website or IP address is being blocked
Note: Before adding an exclusion, confirm the item is a false positive. Contact Support first. If the block can be removed from ThreatDown's databases, that's preferable to a local exclusion.
To access exclusions, go to Configure > Exclusions in the left navigation menu. Use the search icon in the upper right to filter the list by keyword.
Scope: global, site, or policy-level
Exclusions can be applied at three levels:
- Global — applies to all endpoints across all sites
- Site — applies to all endpoints within a specific site
- Policy — applies only to endpoints assigned to selected policies
When creating or editing an exclusion, choose the scope under the Apply to setting.
On the Exclusions page, the Apply to column shows whether each exclusion is scoped to Global, Sites, or a Policy. The Apply to specific column shows the site name and number of policies, or All when applied globally. If an exclusion covers multiple policies, click the number to see which policies are included.
GPO PUM exclusions
There is an option in the upper right of the Exclusions screen to Exclude GPO PUMs for new and existing sites. This tells ThreatDown to ignore Group Policy registry keys that would otherwise be detected as Potentially Unwanted Modifications. See Group Policy registry keys detected as PUMs in OneView for details.
Creating exclusions from detections
You can also create exclusions directly from items that have already been flagged, without navigating to the Exclusions screen:
- Active Detections page in OneView
- Quarantined Detections page in OneView
- Detection Log page in OneView
Wildcards
Wildcards let you match multiple files or folders with a single exclusion entry. They work in file paths, folder paths, and registry keys.
| Wildcard | Matches | Example |
|---|---|---|
* |
Any number of characters within a single folder or filename (including zero characters) |
C:\Users\*\Desktop\test.exe matches C:\Users\Admin\Desktop\test.exe but not C:\test.exe
|
** |
Multiple nested folder levels (at least one level deep) |
C:\Dev\**\App.exe matches C:\Dev\Test\Programs\App.exe but not C:\Dev\App.exe. Not supported for Ransomware Behavior Protection.
|
? |
Any single character |
C:\temp\test?.exe matches C:\temp\test1.exe but not C:\temp\test123.exe
|
Drive letter wildcards: * and ? can substitute for a drive letter in File by Path exclusions (e.g., *:\Temp\test.exe, ?:\Windows\Foo\Bar.exe). This does not work for Folder by Path exclusions.
Exclusion types
Each exclusion type applies to specific protection layers. Add each exclusion as a separate entry.
Windows
| Exclusion Type | Protection Layers | Example |
|---|---|---|
| Command Line | Suspicious Activity |
|
| File by Path |
Malware Protection Ransomware Behavior Protection Suspicious Activity |
C:\Windows\Foo\Bar.exe C:\Users\*\Desktop\test\*.exe
|
| Folder by Path |
Malware Protection Ransomware Behavior Protection Suspicious Activity |
C:\Windows\temp\ C:\Users\*\Documents\ %PROGRAMFILES%\ — subfolders are included automatically |
| File Extension | Malware Protection |
|
| MD5 Hash |
Malware Protection Ransomware Behavior Protection Exploit Protection Suspicious Activity |
e4d909c290d0fb1ca068ffaddf22cbd0 |
| Registry Key | Malware Protection, Suspicious Activity | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Foobar |
| Web Monitoring | Website Protection | Use to allow a specific application to make web requests. Example: C:\Windows\Zoom\Zoom.exe
|
| Website |
Website Protection Browser Phishing Protection Suspicious Activity |
Use to allow a domain in browsers and applications. Example: www.google.com
|
| IP Address |
Website Protection Browser Phishing Protection Ransomware Behavior Protection Suspicious Activity Brute Force Protection |
234.213.143.154 |
| Computer Name | Ransomware Behavior Protection |
|
Mac
| Exclusion Type | Protection Layers | Example |
|---|---|---|
| File by Path | Malware Protection, Suspicious Activity | /path/to/exclude |
| Folder by Path | Malware Protection, Suspicious Activity |
~/Library/Application Support ~/Library/* — a leading ~ is relative to the user's home directory |
| MD5 Hash | Suspicious Activity | e4d909c290d0fb1ca068ffaddf22cbd0... |
| Website | Website Protection, Suspicious Activity | www.threatdown.com |
| IP Address | Website Protection, Suspicious Activity | 234.213.143.154 |
Linux
| Exclusion Type | Protection Layers | Example |
|---|---|---|
| File by Path |
Malware Protection Suspicious Activity |
|
| Folder by Path |
Malware Protection Suspicious Activity |
/usr/share/mblinux/ |
| MD5 Hash | Suspicious Activity | e4d909c290d0fb1ca068ffaddf22cbd0 |
Important notes
Website and IP Address exclusions cover both Web Protection and Browser Phishing Protection
Ransomware Behavior Protection Use File or Folder by Path exclusions first. If the ransomware activity was detected on a different machine, exclude the computer name or IP address instead.
Supported environment variables (Windows)
| Variable | Resolves to |
|---|---|
%PROGRAMDATA% |
C:\ProgramData |
%PROGRAMFILES% |
C:\Program Files |
%PROGRAMFILES(X86)% |
C:\Program Files (x86) |
Registry keys
- Use the shorthand version of HKey entries (e.g.,
HKLM,HKU). - To exclude a group of registry values using wildcards, use the format
<PATH>\<KEY>|<VALUE>*.
What exclusions don't cover
- Network and shared drive paths are not supported (e.g.,
//CLIENT/F/Application.exe). - Avoid excluding entire drives or top-level folders such as
C:\*orC:\Program Files\*. - Drive letter wildcards only work with File by Path — not Folder by Path.
- Exclusions do not apply to endpoints that are isolated with Endpoint Detection and Response.
- Exclusions are not honored on iOS, Android, or ChromeOS devices.
- Exploit Protection can only be excluded by MD5 Hash. If a MD5 Hash doesn't exist for what needs to be allowed, contact Support to determine which portion of Exploit Protection needs to be modified.
- Use the full Windows path, not the short paths.