Detection exlusions

This is another method of excluding objects from scanning, using the detection name, path or its hash. Detection exclusions do not exclude files and folders from scanning (such as performance exclusions). Detection exclusions exclude objects only when they are detected by the detection engine and an appropriate rule is present in the exclusion list.

The easiest way to create a detection-based exclusion is using an existing detection from the Log files > Detections. Right-click a log record (detection) and click Create exclusion. This will open the exclusion wizard with pre-defined criteria.

To manually create a detection exclusion, click Edit > Add (or Edit when modifying existing) and specify one or more of the following criteria (can be combined):

Path

Excludes specific path (file or directory). You can browse for a specific location/file, or enter the string manually. Do not use wildcards - asterisk (*) in the middle of a path. See the following Knowledgebase article exlink for more information.


NOTE

To exclude folder contents, do not forget to add the asterisk (*) at the end of the path (C:\Tools\*). C:\Tools will not be excluded, because from the scanner's perspective, Tools can also be a file name.

Hash

Excludes a file based on specified hash (SHA1), regardless of the file type, location, name or its extension.

Detection name

Enter a valid detection (threat) name. Creating an exclusion based on the detection name alone may pose a security risk. We recommend you combine the detection name with the Path. This exclusion criteria can be used only for certain types of detections.

Comment

Add an optional Comment to easily recognize the exclusion in the future.

ESET PROTECT includes detection exclusions management exlink to create a detection exclusions and apply it to more computers/group(s).

Use wildcards to cover a group of files. A question mark (?) represents a single variable character whereas an asterisk (*) represents a variable string of zero or more characters.


EXAMPLE

Path exclusions using an asterisk:

C:\Tools\* - path must end with the backslash (\) and asterisk (*) to indicate that it is a folder and all folder content (files and subfolders) will be excluded

C:\Tools\*.* - the same behavior as C:\Tools\*, which means, it works recursively

C:\Tools\*.dat - will exclude dat files in the Tools folder

C:\Tools\sg.dat - will exclude this particular file located in the exact path


EXAMPLE

To exclude a threat, enter the valid detection name in the following format:

@NAME=Win32/Adware.Optmedia
@NAME=Win32/TrojanDownloader.Delf.QQI
@NAME=Win32/Bagle.D


EXAMPLE

To exclude all files in a folder, type the path to the folder and use the mask *.*

To exclude doc files only, use the mask *.doc

If the name of an executable file has a certain number of characters (and characters vary) and you only know the first one for certain (say “D”), use the following format:
D????.exe (question marks replace the missing / unknown characters)


EXAMPLE

Use system variables like %PROGRAMFILES% to define scan exclusions.

To exclude the Program Files folder using this system variable, use the path %PROGRAMFILES%\ (make sure to add the backslash at the end of path when adding to exclusions)

To exclude all files in a %HOMEDRIVE% subdirectory, use the path %HOMEDRIVE%\Excluded_Directory\*.*

The following variables can be used in the path exclusion format:

%ALLUSERSPROFILE%

%COMMONPROGRAMFILES%

%COMMONPROGRAMFILES(X86)%

%COMSPEC%

%HOMEDRIVE%

%HOMEPATH%

%PROGRAMFILES%

%PROGRAMFILES(X86)%

%SystemDrive%

%SystemRoot%

%WINDIR%

%PUBLIC%

User-specific system variables (like %TEMP% or %USERPROFILE%) or environment variables (like %PATH%) are not supported.