Detection exclusions
Detection exclusions allow you to exclude objects from cleaning by filtering the detection name, object path or its hash.
|
How detection exclusions work Detection exclusions do not exclude files and folders from scanning as Performance exclusions do. Detection exclusions exclude objects only when they are detected by the detection engine and an appropriate rule is present in the exclusion list. For example (see the first row on the image below), when an object is detected as Win32/Adware.Optmedia and the detected file is C:\Recovery\file.exe. On the second row, each file, which has the appropriate SHA-1 hash, will always be excluded despite the detection name. |
To ensure that all threats are detected, we recommend creating detection exclusions only when it is absolutely necessary.
To add files and folders to the exclusions list, Advanced setup (F5) > Detection engine > Exclusions > Detection exclusions > Edit.
To exclude an object (by its detection name or hash) from cleaning, click Add.
Detection exclusions object criteria
•Path – Limit a detection exclusion for a specified path (or any).
•Detection name – If there is a name of a detection next to an excluded file, it means that the file is only excluded for the given detection, not completely. If that file becomes infected later with other malware, it will be detected. This type of exclusion can only be used for certain types of infiltrations and it can be created either in the alert window reporting the infiltration (click Show advanced options and then select Exclude from detection), or by clicking Tools > Quarantine and then right-clicking the quarantined file and selecting Restore and exclude from scanning from the context menu.
•Hash – Excludes a file based on a specified hash (SHA1), regardless of the file type, location, name or its extension.
Control elements
•Add – Add a new entry to exclude objects from cleaning.
•Edit – Enables you to edit selected entries.
•Delete – Removes selected entries (CTRL + click to select multiple entries).
•Import/Export – Importing and exporting of detection exclusions is useful if you need to backup your current exclusions for use at a later time. The export settings option is also convenient for users in unmanaged environments who want to use their preferred configuration on multiple systems, they can easily import a .txt file to transfer these settings.
Display example of the import/export file format
Detection exclusions setup in ESMC
ESMC 7.1 includes a new wizard for detection exclusions management—create a detection exclusion and apply it to more computers/group(s).
Possible detection exclusions override from ESMC
When there is an existing presence of a detection exclusions local list, the admin has to apply a policy with Allow appending detection exclusions to locally defined list. After that, appending detection exclusions from ESMC will work as expected.
