Breach Remediation allows the exclusion of file extensions, registry keys, registry values, and vendor (the name which is used to identify threats). Items excluded are enclosed in one or more XML files.
The example from the Breach Remediation Windows Administrator Guide lists each Type entry within one large Exclusion tag for sake of brevity. However, the example shown in the administrator guide may be confusing because each entry must have its own Exclusion, Type, and Path tags, even if the entry Type repeats. The following examples can be copy and pasted directly into the XML file that is used for the exclusion.
Example from the Breach Remediation Windows Administrator Guide, including all open and close tags:
<?xml version="1.0" encoding="UTF-8" ?>
<ScanExclusions>
<Exclusions>
<Exclusion>
<Type>folder</Type>
<Path>c:\virus\a</Path>
</Exclusion>
<Exclusion>
<Type>wildcard</Type>
<Path>c:\virus\*trojan*</Path>
</Exclusion>
<Exclusion>
<Type>file</Type>
<Path>c:\virus\test.exe</Path>
</Exclusion>
<Exclusion>
<Type>regkey</Type>
<Path>HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\1394843d</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKCU\SOFTWARE\MICROSOFT\WINDOWS\*\RUN|DESKBAR</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>MBAM.Test.Trojan</Path>
</Exclusion>
<Exclusion>
<Type>ext</Type>
<Path>mp3</Path>
</Exclusion>
</Exclusions>
</ScanExclusions>
Excluding Group Policy Objects using the <Type>regval tag:
<?xml version="1.0" encoding="UTF-8" ?>
<ScanExclusions>
<Exclusions>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoStartMenuMorePrograms</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSetFolders</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoFind</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSMHelp</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoRun</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoViewContextMenu</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoToolbarCustomize</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoPropertiesMyComputer</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoDrives</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ForceActiveDesktopOn</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DisableRegistryTools</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispCPL</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispBackgroundPage</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispAppearancePage</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispScrSavPage</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|ConnectionsTab</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HomePage</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM|DisableCMD</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoFolderOptions</Path>
</Exclusion>
<Exclusion>
<Type>regval</Type>
<Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DisableTaskMgr</Path>
</Exclusion>
</Exclusions>
</ScanExclusions>
Excluding Group Policy Objects using the <Type>vendor tag:
<?xml version="1.0" encoding="UTF-8" ?>
<ScanExclusions>
<Exclusions>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.NoStartMenuMorePrograms</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.NoSetFolders</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.NoFind</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.NoSMHelp</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.NoRun</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.NoViewContextMenu</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.NoToolbarCustomize</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.NoPropertiesMyComputer</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.NoDrives</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.ForceActiveDesktopOn</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.DisableRegistryTools</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.NoDispCPL</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.NoDispBackgroundPage</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.NoDispAppearancePage</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.NoDispScrSavPage</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.ConnectionsTab</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.HomePage</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.DisableCMD</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.NoFolderOptions</Path>
</Exclusion>
<Exclusion>
<Type>vendor</Type>
<Path>PUM.Optional.DisableTaskMgr</Path>
</Exclusion>
</Exclusions>
</ScanExclusions>