By excluding specific programs, web addresses, or file locations, you can improve OneView's performance in your environment. For example, multiple security programs can interfere with each other and cause systems to slow down. You may also require exclusions if a trusted application, data file, or website is flagged as a false positive. Excluded items are not scanned or blocked by scans and real-time protection. This article provides an overview of how exclusions work in OneView.
On the left navigation menu, go to Configure > Exclusions to access exclusions.
The Exclusions page shows a list of your existing exclusions, details of each, and a drop-down menu to edit or delete the exclusion. In the upper-right, click Search exclusions to display a search bar.
There is an additional option in the upper right of the screen that allows you to Exclude GPO PUMs for new and existing sites. For more information, see Group Policy registry keys detected as PUMs in OneView.
Additionally, exclusions can be created from items that are already detected or quarantined from the Detection Center. For more information, see the following links:
- Active Detections page in OneView
- Quarantined Detections page in OneView
- Detection Log page in OneView
Exclusions
You may choose to apply exclusions to all endpoints globally, a single site, or one or more policies. If applying to specific policies or sites, only the assigned endpoints use this exclusion. When creating or editing an exclusion, simply select the endpoints you want the exclusion to apply to.
The Apply to column indicates which exclusion is applied to Global (all endpoints), Sites, or a Policy. The Apply to specific column displays the site name and number of policies, or displays All when all endpoints or policies are applied. If the exclusion applies to multiple policies, click on the number to display policies applied with the exclusion.
Wildcards
A wildcard is a placeholder for a character or string of characters in a registry key, file path, or folder path. Wildcards cannot be used for websites.
Wildcard Type | Description | Example |
Asterisk (*) |
Matches any number of characters for folders and filenames. |
For example, use this to apply exclusions to applications on every user's Desktop, exe files in the temp folder, or multiple variations of the same file name.
|
Double Asterisk (**) |
Matches multiple layers of folder exclusions. |
For example, use this to exclude an application that exists across multiple directories and subdirectories.
Note: Not supported with Ransomware Protection. |
Question mark (?) |
Matches any single character per question mark wildcard. |
For example, use this to exclude single-character variations of the same file name.
|
Exclusion Types
You can add several types of exclusions to meet your needs. When you add an exclusion, it is applied to appropriate protection layers based on the Exclusion Type. Not all exclusion types can be applied to all layers.
TIP - Add each exclusion as a separate entry.
See the tables below for examples and the supported protection layers of each exclusion type.
Windows
Exclusion Type | Supported Protection Layers | Example(s) |
---|---|---|
Command Line | Suspicious Activity |
|
File by Path |
Malware Protection Ransomware Protection Suspicious Activity |
|
Folder by Path |
Malware Protection Ransomware Protection Suspicious Activity |
|
File Extension | Malware Protection |
|
MD5 Hash |
Exploit Protection Suspicious Activity |
|
Registry Key |
Malware Protection Suspicious Activity |
|
Web Monitoring | Website Protection |
|
Website |
Website Protection Suspicious Activity |
|
IP Address |
Website Protection Suspicious Activity Brute Force Protection |
|
Mac
Exclusion Type | Supported Protection Layers | Example(s) |
---|---|---|
File by Path |
Malware Protection Suspicious Activity |
|
Folder by Path |
Malware Protection Suspicious Activity |
Using a tilde (~) indicates a path relative to the user's home directory.
|
MD5 Hash | Suspicious Activity |
|
Linux
Exclusion Type | Supported Protection Layers | Example(s) |
---|---|---|
File by Path |
Malware Protection Suspicious Activity |
|
Folder by Path |
Malware Protection Suspicious Activity |
|
MD5 Hash | Suspicious Activity |
|
Notes
- If a trusted application or website is being blocked, administrators should first investigate to determine if the application or website has been compromised or if it is a false positive. If it is a false positive, check with Support to see if the block can be removed from our databases instead of adding an exclusion.
- Exclusions are applied to appropriate protection layers based on the Exclusion type. Not all protection layers can be protected by all exclusion types.
- Network drives are not supported. For example, //CLIENT/F/Application.exe.
- It is not recommended to exclude entire drives or folders, such as C:\* or C:\Program Files\*
- The following environment variables are supported:
- %PROGRAMDATA%: C:\ProgramData
- %PROGRAMFILES%: C:\Program Files
- %PROGRAMFILES(X86)%: C:\Program Files (x86)
- For registry keys, you must use the shorthand version of the HKey entries.
- To exclude a group of registry values using wildcards, use the format <PATH><KEY>|<VALUE>*.
- Exclusions do not apply to endpoints that are isolated with Endpoint Detection and Response.