Create Anti-Malware exceptions | Trend Micro Service Central

Files that are not malicious can be falsely identified as malware if they share certain characteristics with malware. If a file is known to be benign and is identified as malware, you can create an exception for that file. When an exception is created, the file does not trigger an event when Server & Workload Protection scans the file.

For an overview of the Anti-Malware module, see Protect against malware.

Note

You can also exclude files from real-time, manual, and scheduled scans. See Specify the files to scan.

Exceptions can be created for the following types of malware and malware scans:

Predictive Machine Learning scans (for information, see Detect emerging threats using Predictive Machine Learning.)
Scans for spyware and grayware (for information, see Scan for spyware and grayware)
Behavior monitoring protection (for information, see Enhanced Anti-Malware and ransomware scanning with behavior monitoring)

You can also exclude files from Anti-Malware scanning if they are signed by a trusted certificate. This feature is supported with version 20.0.0-3445+ agents on Windows. For details, see Exclude files signed by a trusted certificate.

Server & Workload Protection maintains a list of exceptions for each type of malware scan in policy and computer properties.

To see the lists of exceptions, open the policy or computer editor.
Click Anti-Malware → Advanced.

The exceptions are listed in the Allowed Spyware/Grayware, Document Exploit Protection Rule Exceptions, Predictive Machine Learning Detection Exceptions, Behavior Monitoring Protection Exceptions, and Trusted Certificates Detection Exceptions sections.

Create an exception from an Anti-Malware event

When a file is identified as malware, Server & Workload Protection generates an Anti-Malware event. If you know that the file is benign, you can create an exception for the file from the event report.

Click Events & Reports → Events → Anti-Malware Events and locate the malware detection event.
Right-click the event.
Select Allow.

Manually create an Anti-Malware exception

You can manually create Anti-Malware exceptions for spyware or grayware, document exploit protection rules, predictive machine learning, and behavior monitoring exceptions. To add the exception, you need specific information from the Anti-Malware event that the scan generated. The type of malware or scan determines the information that you need:

Spyware or grayware: The value in the "MALWARE" field, for example SPY_CCFR_CPP_TEST.A
Document exploit protection rules: The value in the "MALWARE" field, for example HEUR_OLEP.EXE
Predictive machine learning: The SHA1 digest of the file from the "FILE SHA-1" field, for example 3395856CE81F2B7382DEE72602F798B642F14140
Behavior monitoring: The process image path, for example C:\test.exe

Click Events & Reports → Events → Anti-Malware Events and copy the field value that is required to identify the malware.
Open the policy or computer editor where you want to create the exception.
Click Anti-Malware → Advanced.
In the Allowed Spyware/Grayware, Document Exploit Protection Rule Exceptions, Predictive Machine Learning Detection Exceptions, or Behavior Monitoring Protection Exceptions section, enter the information from the event in the text box.
Click Add.

Exception List Wildcard Support

The Behavior Monitoring Protection Exceptions list supports the use of wildcard characters when defining file path, file name, and file extension exception types. Use the following table to properly format your exception lists to ensure that Server & Workload Protection excludes the correct files and folders from scanning.

Supported wildcard characters:

Asterisk (*): Represents any character or string of characters

Note

The Behavior Monitoring Protection Exceptions list does not support the use of wildcard characters to replace system drive designations or within Universal Naming Convention (UNC) addresses.

Exception Type

Wildcard Usage

Matched

Not Matched

Directories

C:\*

Excludes all files and folders on the specified drive

```
C:\sample.exe
```
```
C:\folder\test.doc
```

```
D:\sample.exe
```
```
E:\folder\test.doc
```

Specific files under a specific folder level

C:\*\Sample.exe

Excludes the

Sample.exe

file only if the file is located in any subfolder of the

C:\

directory

```
C:\files\Sample.exe
```
```
C:\temp\files\Sample.exe
```

```
C:\sample.exe
```

Universal Naming Convention (UNC) paths

\\<UNC path>\*\Sample.exe

Excludes the

Sample.exe

file only if the file is located in any subfolder of the specified UNC path

```
\\<UNC path>\files\Sample.exe
```
```
\\<UNC path>\temp\files\Sample.exe
```

```
R:\files\Sample.exe
```
Reason: Mapped drives are not supported.
```
\\<UNC path>\Sample.exe
```
Reason: The file does not exist within a subfolder of the UNC path.

File names and extensions

C:\*.*

Excludes all files with extensions in all folders and subfolders of the

C:\

directory

```
C:\Sample.exe
```
```
C:\temp\Sample.exe
```
```
C:\test.doc
```

```
D:\sample.exe
```

C:\Sample

Note

Because

C:\Sample

does not have a file extension, it is not a match for the exception.

File names

C:\*.exe

Excludes all files with the

.exe

extension in all folders and subfolders of the

C:\

directory

```
C:\Sample.exe
```
```
C:\temp\test.exe
```

```
C:\Sample.doc
```
```
C:\temp\test.bat
```

C:\Sample

Note

Because

C:\Sample

does not have a file extension, it is not a match for the exception.

File extensions

C:\Sample.*

Excludes all files with the name

Sample

and any extension in the

C:\

directory

```
C:\Sample.exe
```

```
C:\Sample1.doc
```
```
C:\temp\Sample.bat
```

C:\Sample

Note

Because

C:\Sample

does not have a file extension, it is not a match for the exception.

Files in specific directory structures

C:\*\*\Sample.exe

Excludes all files located within the second subfolder level or any subsequent subfolders of the

C:\

directory with the file name and extension

Sample.exe

```
C:\files\temp\Sample.exe
```
```
C:\files\temp\test\Sample.exe
```

```
C:\Sample.exe
```
```
C:\temp\Sample.exe
```
```
C:\files\temp\Sample.doc
```

Exception strategies for spyware and grayware

When spyware is detected, the malware can be immediately cleaned, quarantined, or deleted, depending on the malware scan configuration that controls the scan. After you create the exception for a spyware or grayware event, you might have to restore the file. (See Restore identified files.)

Alternatively, you can temporarily scan for spyware and grayware with the action set to "Pass" so that all spyware and grayware detections are recorded on the Anti-Malware Events page but not cleaned, quarantined, or deleted. You can then create exceptions for the detected spyware and grayware. When your exception list is robust, you can set the action to "Clean", "Quarantine", or "Delete" modes.

For information about setting the action, see Configure how to handle malware.

Scan exclusion recommendations

The best and most comprehensive source for scan exclusions is from the software vendor. The following are some high-level scan exclusion recommendations:

Quarantine folders (such as SMEX on Microsoft Windows Exchange Server) should be excluded to avoid rescanning files that have already been confirmed to be malware.
Large databases and database files (for example, dsm.mdf and dsm.ldf) should be excluded because scanning could impact database performance. If it is necessary to scan database files, you can create a scheduled task to scan the database during off-peak hours. Since Microsoft SQL Server databases are dynamic, exclude the directory and backup folders from the scan list:

For Windows:

${ProgramFiles}\Microsoft SQL Server\MSSQL\Data\

${Windir}\WINNT\Cluster\ # if using SQL Clustering

Q:\ # if using SQL Clustering

For Linux:

/var/lib/mysql/ # if path is set to this Data Location of MySQL in the
                     machine.

/mnt/volume-mysql/ # if path is set to this Data Location of MySQL in the
                     machine.

For a list of recommended scan exclusions, see the Trend Micro recommended scan exclusion list. Microsoft also maintains an Anti-Virus Exclusion List that you can use as a reference for excluding files from scanning on Windows servers.

Exclude files signed by a trusted certificate

If you have signed applications and want to exclude all activities of those processes from real-time Anti-Malware scanning (including file scans, behavior monitoring, and predictive machine learning), you can add the digital certificate to your trusted certificate list in Server & Workload Protection.

Note

This type of exclusion is supported with version 20.0.0-3549+ agents on Windows.

In the policy or computer editor, go to Anti-Malware → Advanced.
In the Trusted Certificates Detection Exemptions section, set Exclude files with trusted certificate to "Yes" or "Inherited (Yes)".
Select Manage Certificate List.
The Trusted Certificates window displays any certificates you have imported. Select Import From File to add another one for scan exclusions.
Choose the certificate file and then select Next.
Review the certificate summary that's displayed and set Trust this certificate for to Scan Exclusions. Select Next.
The Summary page indicates whether the import was successful. Select Close.

The imported certificate appears in the Trusted Certificates list with the Purpose listed as Exception.

Tip

Server & Workload Protection checks the exemption list when a process starts. If a process is running before the exemption is configured, the process won't be added to the exemption list until it is restarted.