ESET Online Help

Search English
Select the topic

Create exclusion

This topic covers both the rule exclusion and script exclusion creation process.


note

If the create exclusion button was used for the selected rule(s), for example on Detection rules page or Detections, some data specific to rule(s) are prefilled.

To create a new exclusion, click Exclusion > New exclusion.

In the Basics section, type basic information about the exclusion, such as an Exclusion name and Note (optional), for an in-depth description.

Criteria

Click Continue to configure the exclusion settings. Exclude processes is divided into three parts:

Current process—Criteria created for the currently selected process.

Parent process—Criteria created for the parent process of actual selection.

Any ancestor process—Criteria created for any ancestor process.

You can use pre-defined criteria:

Process name is one of—Type the process names you want to apply to the exclusion.

Process path starts with—The path to the specified process (C:\Windows or %SYSTEM% can be used).

Cmd. line contains—Type the process parameters if you want to exclude by parameter.

Signer is one of—Type the signer for exclusion names.

Signature type is—Choose comparison operators: is, is not, greater than or equal, less or equal. Then the Signer type: Trusted, Valid, Self-signed, None, Invalid or Present. It is a mandatory field when a Signer is selected.

SHA-1 is one of—Type the process SHAs you want to exclude if known.

User is one of—Type all user names you want to apply to the exclusion.

Optionally, use Advanced editor to modify the criteria by changing the Rule syntax.

Rules

Select rules that you want to exclude. Click Add filter, and select Rule name and type string to search.

Auto-resolving—When selected, all detections (already detected in the past) fulfilling the exclusion criteria will be marked as resolved. They will not appear in the default view in detections views.

Targets

Click Assign to select computers or groups where you want this exclusion to apply and click OK.

Summary

Review the configured settings summary in the Exclusion preview. Verify the settings and click Create exclusion.

Create an exclusion for a specified script

In the Basics section, type basic information about the exclusion, such as an Exclusion name and Note (optional), for an in-depth description.

Criteria

You can use pre-defined criteria:

Process name is one of—Type the process names you want to apply to the exclusion.

Cmd. line contains—Type the process parameters if you want to exclude by parameter.

User is one of—Type all user names you want to apply to the exclusion.

Optionally, use Advanced editor to modify the criteria by changing the Rule syntax.

Targets

Click Assign to select computers or groups where you want this exclusion to apply and click OK.

Summary

Review the configured settings summary in the Exclusion preview. Verify the settings and click Create exclusion.

Create event storage filter

In the Basics section, type basic information about the exclusion, such as an Exclusion name and Note (optional), for an in-depth description.

Criteria

You can use pre-defined criteria:

Process name is one of—Type the process names you want to apply to the exclusion.

Process path starts with—The path to the specified process (C:\Windows or %SYSTEM% can be used).

Cmd. line contains—Type the process parameters if you want to exclude by parameter.

Signer is one of—Type the signer for exclusion names.

Signature type is—Choose comparison operators: is, is not, greater than or equal, less or equal. Then the Signer type: Trusted, Valid, Self-signed, None, Invalid or Present. It is a mandatory field when a Signer is selected.

SHA-1 is one of—Type the process SHAs you want to exclude if known.

User is one of—Type all user names you want to apply to the exclusion.

Optionally, use Advanced editor to modify the criteria by changing the Rule syntax.

Targets

Click Assign to select computers or groups where you want this exclusion to apply and click OK.

Summary

Review the configured settings summary in the Exclusion preview. Verify the settings and click Create exclusion.

Event types

File system events

TCP events

Registry events

HTTP events

DNS events