Detection exclusions

Detection exclusions enable you to exclude objects from detection by filtering the detection name, object path, or its hash.

example

How detection exclusions work

Detection exclusions do not exclude files and folders from scanning as Performance exclusions do. Detection exclusions exclude objects only when they are detected by the detection engine and an appropriate rule is present in the exclusion list.

For example (see the first row on the image below), when an object is detected as Win32/Adware.Optmedia and the detected file is C:\Recovery\file.exe. On the second row, each file, which has the appropriate SHA-1 hash, will always be excluded despite the detection name...

CONFIG_EXCLUDE_DETECTION

To ensure that all threats are detected, we recommend creating detection exclusions only when it is absolutely necessary.

To add files and folders to the exclusions list, Advanced setup (F5) > Detection engine > Exclusions > Detection exclusions > Edit.

note

Note

Not to be confused with Performance exclusions, Excluded file extensions, HIPS exclusions or Processes exclusions.

To exclude an object (by its detection name or hash) from detection engine, click Add.

For Potentially unwanted applications and Potentially unsafe applications, the exclusion by its detection name can also be created:

In the alert window reporting the detection (click Show advanced options and then select Exclude from detection).

From the Log Files context menu using Create detection exclusion wizard.

By clicking Tools > More tools > Quarantine and then right-clicking the quarantined file and selecting Restore and exclude from scanning from the context menu.

Detection exclusions object criteria

Path – Limit a detection exclusion for a specified path (or any).

Detection name – If there is a name of a detection next to an excluded file, it means that the file is only excluded for the given detection, not completely. If that file becomes infected later with other malware, it will be detected.

Hash – Excludes a file based on a specified SHA-1 hash, regardless of the file type, location, name, or extension.