Files that are not malicious can be falsely identified as malware if they share
certain characteristics with malware. If a file is known to be benign and is
identified as malware, you can create an exception for that file. When an exception
is created, the file does not trigger an event when Server & Workload Protection scans the file.
For an overview of the Anti-Malware module, see Protect against
malware.
NoteYou can also exclude files from real-time, manual, and scheduled scans. See
Specify the files to scan.
|
Exceptions can be created for the following types of malware and malware scans:
- Predictive Machine Learning scans (for information, see Detect emerging threats using Predictive Machine Learning.)
- Scans for spyware and grayware (for information, see Scan for spyware and grayware)
- Behavior monitoring protection (for information, see Enhanced Anti-Malware and ransomware scanning with behavior monitoring)
You can also exclude files from Anti-Malware scanning if they are signed by a trusted
certificate. This feature is supported with version 20.0.0-3445+ agents on Windows.
For details, see Exclude
files signed by a trusted certificate.
Server & Workload Protection maintains a list of exceptions for each
type of malware scan in policy and computer properties.
- To see the lists of exceptions, open the policy or computer editor.
- Click .
The exceptions are listed in the Allowed Spyware/Grayware,
Document Exploit Protection Rule Exceptions, Predictive
Machine Learning Detection Exceptions, Behavior Monitoring
Protection Exceptions, and Trusted Certificates Detection
Exceptions sections.
See also Scan exclusion
recommendations.
Create an exception from an Anti-Malware event
When a file is identified as malware, Server & Workload Protection
generates an Anti-Malware event. If you know that the file is benign, you can create
an exception for the file from the event report.
- Click and locate the malware detection event.
- Right-click the event.
- Select Allow.
Manually create an Anti-Malware exception
You can manually create Anti-Malware exceptions for spyware or grayware, document
exploit protection rules, predictive machine learning, and behavior monitoring
exceptions. To add the exception, you need specific information from the
Anti-Malware event that the scan generated. The type of malware or scan determines
the information that you need:
- Spyware or grayware: The value in the "MALWARE" field, for example
SPY_CCFR_CPP_TEST.A
- Document exploit protection rules: The value in the "MALWARE"
field, for example
HEUR_OLEP.EXE
- Predictive machine learning: The SHA1 digest of the file from the
"FILE SHA-1" field, for example
3395856CE81F2B7382DEE72602F798B642F14140
- Behavior monitoring: The process image path, for example
C:\test.exe
- Click and copy the field value that is required to identify the malware.
- Open the policy or computer editor where you want to create the exception.
- Click .
- In the Allowed Spyware/Grayware, Document Exploit Protection Rule Exceptions, Predictive Machine Learning Detection Exceptions, or Behavior Monitoring Protection Exceptions section, enter the information from the event in the text box.
- Click Add.
Exception List Wildcard Support
The Behavior Monitoring Protection Exceptions list supports the use of
wildcard characters when defining file path, file name, and file extension exception
types. Use the following table to properly format your exception lists to ensure
that Server & Workload Protection excludes the correct files and
folders from scanning.
Supported wildcard characters:
- Asterisk (*): Represents any character or string of characters
NoteThe Behavior Monitoring Protection Exceptions list does not support the use of
wildcard characters to replace system drive designations or within Universal
Naming Convention (UNC) addresses.
|
Exception Type
|
Wildcard Usage
|
Matched
|
Not Matched
|
||
Directories
|
C:\* Excludes all files and folders on the specified drive
|
|
|
||
Specific files under a specific folder level
|
C:\*\Sample.exe Excludes the
Sample.exefile only if the file is located in any subfolder of the C:\directory |
|
|
||
Universal Naming Convention (UNC) paths
|
\\<UNC path>\*\Sample.exe
Excludes the
Sample.exe file only if the file is located in any subfolder of the
specified UNC path
|
|
|
||
File names and extensions
|
C:\*.* Excludes all files with extensions in all folders and subfolders
of the
C:\directory |
|
|
||
File names
|
C:\*.exe Excludes all files with the
.exeextension in all folders and subfolders of the C:\directory |
|
|
||
File extensions
|
C:\Sample.* Excludes all files with the name
Sampleand any extension in the C:\directory |
|
|
||
Files in specific directory structures
|
C:\*\*\Sample.exe
Excludes all files located within the second subfolder level or
any subsequent subfolders of the
C:\directory with the file name and extension Sample.exe |
|
|
Exception strategies for spyware and grayware
When spyware is detected, the malware can be immediately cleaned, quarantined, or
deleted, depending on the malware scan configuration that controls the scan. After
you create the exception for a spyware or grayware event, you might have to restore
the file. (See Restore identified files.)
Alternatively, you can temporarily scan for spyware and grayware with the action set
to "Pass" so that all spyware and grayware detections are recorded on the
Anti-Malware Events page but not cleaned, quarantined, or deleted. You can then
create exceptions for the detected spyware and grayware. When your exception list
is
robust, you can set the action to "Clean", "Quarantine", or "Delete" modes.
For information about setting the action, see Configure how to handle malware.
Scan exclusion recommendations
The best and most comprehensive source for scan exclusions is from the software
vendor. The following are some high-level scan exclusion recommendations:
- Quarantine folders (such as SMEX on Microsoft Windows Exchange Server) should be excluded to avoid rescanning files that have already been confirmed to be malware.
- Large databases and database files (for example, dsm.mdf and dsm.ldf) should be excluded because scanning could impact database performance. If it is necessary to scan database files, you can create a scheduled task to scan the database during off-peak hours. Since Microsoft SQL Server databases are dynamic, exclude the directory and backup folders from the scan list:
For Windows:
${ProgramFiles}\Microsoft SQL Server\MSSQL\Data\
${Windir}\WINNT\Cluster\ # if using SQL Clustering
Q:\ # if using SQL Clustering
For Linux:
/var/lib/mysql/ # if path is set to this Data Location of MySQL in the
machine.
/mnt/volume-mysql/ # if path is set to this Data Location of MySQL in the
machine.
For a list of recommended scan exclusions, see the Trend
Micro recommended scan exclusion list. Microsoft also maintains an Anti-Virus Exclusion List that you can use as a reference for excluding
files from scanning on Windows servers.
Exclude files signed by a trusted certificate
If you have signed applications and want to exclude all activities of those processes
from real-time Anti-Malware scanning (including file scans, behavior monitoring, and
predictive machine learning), you can add the digital certificate to your trusted
certificate list in Server & Workload Protection.
NoteThis type of exclusion is supported with version 20.0.0-3549+ agents on
Windows.
|
- In the policy or computer editor, go to .
- In the Trusted Certificates Detection Exemptions section, set Exclude files with trusted certificate to "Yes" or "Inherited (Yes)".
- Select Manage Certificate List.
- The Trusted Certificates window displays any certificates you have imported. Select Import From File to add another one for scan exclusions.
- Choose the certificate file and then select Next.
- Review the certificate summary that's displayed and set Trust this certificate for to Scan Exclusions. Select Next.
- The Summary page indicates whether the import was successful. Select Close.
The imported certificate appears in the Trusted Certificates list with the
Purpose listed as Exception.
TipServer & Workload Protection checks the exemption
list when a process starts. If a process is running before the exemption is
configured, the process won't be added to the exemption list until it is
restarted.
|