Path exclude from scanning

Hi,
Is it possible to exclude paths from scanning in the Malware protection section?

Best,
Sandro

Hi @SandroR,

You can instruct Defend to skip scanning a directory by pre-emptively creating an Endpoint Exception (URL /app/security/exceptions/details/endpoint_list) that would match all files in that directory. Here's an example:

Make sure to use the MATCHES operator if specifying wildcards.

Regards,
Gabriel

1 Like

Hi Gabriel,

Thanks a lot for your quick response.

To get you right... the exception list is not bound to a policy or a dedicated host but to a rule (in this case the Endpoint Security rule)? This means we have to add every exception (path) of every host to one exception list?

The value "malicious_file" is a kind of well known constant since the propositions are only numbers when I type something in the value field?

For every path I added the system made up a new dedicated exception with the same name. Is this how it should work?

Thanks a lot for clarifying and have a nice day!
Sandro

Endpoint exceptions are distinct from rule exceptions in that they run on the Endpoint itself. Rule exceptions run exclusively in the Stack. You can read more about this here.

Exceptions are currently shared across endpoints, but you can add conditions to narrow down the machines on which they will run, such as host.name IS abcd or agent.id IS 1234.

When a malware alert comes in, event.code: malicious_file. The autocomplete suggests are based on values found within your Elasticsearch database. If no malware alerts have been generated, then autocomplete won't be aware of the value. Here's what autocomplete for "m" looks like in my local lab stack:

For every path I added the system made up a new dedicated exception with the same name. Is this how it should work?

You are free to name the exception however you want. I suggest giving each one a distinct name to make it easier to distinguish them.

The workflow I described here is for creating wildcard exclusions before any alerts come in. The typical exception creation workflow is in response to alerts. When a malware alert comes in, the "Add Endpoint exception" button will automatically populate an exception for you as a starting point. You are then free to customize the exception before adding it.


For every path I added the system made up a new dedicated exception with the same name. Is this how it should work?

You control the name of the exception. The "Add Endpoint Exception" button is grayed out until you enter one.