Legacy Exclusions

You can exclude specific objects (exclusions) from inspection by Harmony Endpoint. You can add exclusions to a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. or create global exclusions that apply to all rules.

Adding Exclusions to a Specific Rule

To add exclusions to a specific rule:

  1. Go to Policy > Threat Prevention > Policy Capabilities.

  2. Select the rule for which you want to create the exclusion

  3. In the Capabilities & Exclusions pane, click Exclusions Center.

  4. Expand an exclusion category. For example, Anti-Bot -> URL Filtering Exclusions.

    Note - Global Exclusions is read-only. To add Global Exclusions, see Adding Global Exclusions.

  5. Expand Rule Exclusions.

  6. Select the exclusions you want to add to the rule.

  7. Click OK.

  8. In the bottom right corner of the policy configuration pane, click Save.

  9. From the top, click Install Policy.

Adding Global Exclusions

To add global exclusions that apply to all the rules:

  1. Go to Policy > Threat Prevention > Global Exclusions.

  2. Expand an exclusion category. For example, Anti-Bot -> URL Filtering Exclusions.

  3. Select the exclusions you want to add to the rule.

  4. Click Save.

  5. From the top, click Install Policy.

Adding Exclusions from Security Overview

To add exclusions from Security Overview:

  1. Go to Overview > Security Overview.

  2. Right-click the security event and select Drill Down.

  3. Right-click the event and select one of these options:

    • Create Exclusion for Effective Rule

      The Edit Exclusions Center window appears and automatically adds the exclusion.

    • Create Exclusion for All Rules

      • If Global Exclusions is not enabled, the Edit Exclusions Center window opens and automatically adds the exclusion to all the rules under Policy Capabilities.

      • If Global Exclusions is enabled, the Edit Exclusions Center window opens and automatically adds the exclusion to Global Exclusions. For more information, see Adding Global Exclusions.

  4. Click OK.

  5. Click Save for all the modified policies.

  6. Click Install Policy.

Notes:

Adding Exclusions from Logs

To add exclusions from the Logs menu:

  1. Go to Logs menu.

  2. Right-click a log to add and configure an exclusion to your endpoint device. This redirects you to the appropriate rule, section, and capability.

  3. Select one of these options to apply the exclusions:

    • Effective option: For a specific device or a user rule.

    • All options: For a specific rule.

Notes:

  • This option is available only for Harmony Endpoint client version E86.20 and later.

  • For Harmony Endpoint client version 86.20 or earlier, or for unsupported blades/capabilities, you are redirected to the relevant rule in the exclusions center to create exclusions.

Adding a New Exclusion to an Exclusion Category

To add an exclusion to an exclusions category:

  1. Do one of these:

    • Go to Policy > Threat Prevention > Policy Capabilities.

    • Go to Policy > Threat Prevention > Global Exclusions.

    The Edit Exclusions Center window appears.

  2. Click .

    The New Exclusion window appears.

  3. Specify these details:

    1. Exclusion

    2. Method

    3. Value

    4. (Optional) Comment

    5. To add the exclusion to all the rules, select the Add to all rules checkbox. This step does not apply to Global Exclusions.

      Note - If the current rule contains this exception, then the system adds a duplicate exclusion.

  4. Click OK.

  5. In the bottom right corner of the policy configuration pane, click Save.

  6. From the top, click Install Policy.

Editing an Exclusion

To edit an exclusion:

  1. Do one of these:

    • Go to Policy > Threat Prevention > Policy Capabilities.

    • Go to Policy > Threat Prevention > Global Exclusions.

    The Edit Exclusions Center window opens.

  2. Expand an exclusion category. For example, Anti-Bot -> URL Filtering Exclusions.

  3. If you are editing a local exclusion, expand Local Exclusions. This step does not apply to Global Exclusions.

  4. Select the exclusion you want to edit.

  5. Click .

    The Edit Exclusion window appears.

  6. Specify these details:

    1. Exclusion

    2. Method

    3. Value

    4. (Optional) Comment

    5. To apply the changes to all the rules that contain this exclusion, select the Update all rules checkbox. This step does not apply to Global Exclusions.

    6. To add the exclusion to all the rules that does not contain this exclusion, select the Add to all rules checkbox. This step does not apply to Global Exclusions.

  7. Click OK.

  8. In the bottom right corner of the policy configuration pane, click Save.

  9. From the top, click Install Policy.

Below is the list of supported exclusions.

By default, the Anti-Bot component inspects all entities except:

  • Process - Name of an executable

  • URL - Website URL

  • Domain - Full Domain name

  • Protection Name - Predefined malware signature

  • IP range - Internal or external IP address

You can exclude specific domains from a rule. Click + to add the required domain you want to exclude from the rule.

Syntax

  • * indicates a string or a character. For example, A* can be ADomain or AB or AAAA.

  • ? indicates a character. For example, A? can be AA or AB or Ab.

For example:

If you enter

It excludes these

It does not exclude these

www.domain.com

  • https://www.domain.com

  • http://www.domain.com

  • https://domain.com

  • http://domain.com

  • https://sub.domain.com

  • http://sub.domain.com

domain.com

  • https://www.domain.com

  • http://www.domain.com

  • https://domain.com

  • http://domain.com

  • https://sub.domain.com

  • http://sub.domain.com

-
sub.domain.com

  • https://sub.domain.com

  • http://sub.domain.com

https://sub2.domain.com

*.domain.com

Sub-domain of domain.com such as:

  • https://sub1.domain.com

  • http://sub2.domain.com

 

 

Harmony Endpoint scans files when you create, open, or close them.

When you exclude a trusted process from inspection, it's file or network operation is not scanned. Exclude a process only if you are sure, it is not Malware.

Best Practice - We recommend excluding a process if:

  • It's behaviour is abnormal.

  • It's performance is slow after you installed the Anti-Malware blade.

  • A false-positive is detected.

Windows

You can exclude only .EXE files.

Syntax:

Fully qualified paths or an environment variable for the trusted executable.

Examples:

  • C:\Program Files\MyTrustedDirectory\MyTrustedProgram.exe

  • %programdata%\MytrustedProgram.exe

macOS

Syntax:

Fully qualified path for the trusted executable file.

Example:

/Applications/FileZilla.app/Contents/MacOS/filezilla

Files and Folder Exclusions are applied to all types of scans except contextual scan. The reason for configuring exclusions is to reduce the CPU usage of Anti-Malware.

Note - Files and folders must be excluded only if they are located in a Trusted zone or are considered a low-risk target for viruses.

Windows

Syntax:

Directory paths must end with a backlash.

Examples:

  • Directory:

    • C:\Program Files\MyTrustedDirectory\

    • %programdata%\MyTrustedDirectory\

  • Specific file:

    • C:\ProgramFiles\MyTrustedDirectory\excludeMe.txt

    • %programdata%\MyTrustedDirectory\excludeMe.txt

  • File type:

    • *.exe

    • \\ServerName\Share\folder\file.txt or \\ip_addres\Share\folder\file.txt depending on a way file is attached.

    • C:\Program Files\MyTrustedDirectory**.exe(recursive exclusion - applies for all .exe in C:\Program Files\MyTrustedDirectory\ and all subfolders)

  • For Harmony Endpoint client version E80.80 or higher, you can exclude MD5 hash from the scheduled malware scan. For example:

    • md5:0123456789012345

      • Exclude by hash in any folder

    • md5:0123456789012345:app.exe

      • Exclude by hash and exact file name

    • md5:0123456789012345:c:\folder\app.exe

      • Exclude by hash and full path

    • md5:0123456789012345:%ENV%\app.exe

      • Exclude by hash and environment variable

  • For Harmony Endpoint client version E86.10 or higher, you can exclude URL from the scheduled malware scan. For example:

    • url:*.example.com

    • url:http://*.example.com

    • url:http://example.com/*

    • url:www.example.com/abc/123

    • url:*192.168.*

    • url:http://192.168.*

Notes for URL exclusions-

  • The * character replaces any sequence that contains zero or more characters.

  • The www. character sequence at the beginning of an exclusion mask is interpreted as a *. sequence.

  • If an exclusion mask does not start with the * character, the content of the exclusion mask is equivalent to the same content with the *. prefix.

  • If an exclusion mask ends with a character other than / or *, the content of the exclusion mask is equivalent to the same content with the /* postfix.

  • If an exclusion mask ends with the / character, the content of the exclusion mask is equivalent to the same content with the /*. postfix.

  • The character sequence /* at the end of an exclusion mask is interpreted as /* or an empty string.

  • URLs are verified against an exclusion mask, taking into account the protocol (http or https).

Note - For Windows, files and folder names are not case-sensitive.

macOS

Syntax:

Directory path, a specific file, or a file type. Environment variables are not supported.

Example:

Trusted directory

  • /Users/Shared/MyTrustedDirectory/

Specific file

  • /Users/*/Documents/excludeMe.txt

File type

  • *.txt

Note - For macOS, files and folder names are case-sensitive.

You can exclude some riskware files and infections from the scheduled malware scan on your computer.

Best Practice:

  • Exclude when the specific software is allowed.

  • As a temporary exclusion when there is a false positive detection.

Syntax

Infection name and protection name in your log.

Example:

  • EICAR-Test-File

Notes -

  • The infection name is case-sensitive.

  • If you get a file protection detection, share the file with Check Point to resolve the file protection.

You can exclude specific folders, domains or SHA1 hashes from the Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE., Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. and Zero-Phishing protection.

Domain exclusions

  • Relevant only for Harmony Endpoint extension for Browsers.

  • To exclude an IP, in the Element field, enter IP address followed by subnet mask in the format <X.X.X.X>/ <subnet mask >. For example, to exclude a computer with IP address 192.168.100.30, enter 192.168.100.30/24.

  • Domain exclusions must be added without http, https or any other special characters except asterisk (*).

    Domain exclusions can be added with or without www.

  • Sub-domain exclusions are supported.

    Exclusion of a domain will exclude all its subdomains as well.

For example:

If you enter

It excludes these

It does not exclude these

www.domain.com

  • https://www.domain.com

  • http://www.domain.com

  • https://domain.com

  • http://domain.com

  • https://sub.domain.com

  • http://sub.domain.com

domain.com

  • https://www.domain.com

  • http://www.domain.com

  • https://domain.com

  • http://domain.com

  • https://sub.domain.com

  • http://sub.domain.com

-
sub.domain.com

  • https://sub.domain.com

  • http://sub.domain.com

https://sub2.domain.com

*.domain.com

Sub-domain of domain.com such as:

  • https://sub1.domain.com

  • http://sub2.domain.com

 

 

SHA1 exclusions -

  • Relevant only for Threat Emulation blade (File system monitoring).

    For Harmony Endpoint version E86.40, SHA1 exclusion is supported on Harmony Endpoint extension for browsers as well (not including Internet Explorer). SHA1 can be used to exclude downloaded files from File Protection and local HTML files from Zero Phishing.

  • It is not supported with Internet Explorer.

  • File Reputation exclusions are set by SHA1.

  • Macro exclusion - To exclude the office files which includes a macro, set exclusions for the SHA1 hash of the macro.

    For example, if an exclusion is set to SHA1 hash of the macro, all the files which includes this macro are excluded.

    Notes -

Folder exclusions -

  • Relevant only for Threat Emulation blade (File system monitoring).

  • Folder path cannot contain environment variables.

  • When you exclude a folder, enter the folder as a windows path. For example:

    C:\Program Files\MyTrustedDirectory\

  • If the path of created file begins with exclusion, it will be excluded.

  • For Endpoint Security Client version E87.10 or higher, if the value of exclusion start with FileEx:\\ then the value will be treated as path to the file.

    To exclude specific type of files in a folder, use the following format:
    FileEx:\\<Path_to_directory>\*.<file_extension>.
    For example, FileEx:\\D:\mydir\*.xls will exclude all XLS files in D:\mydir folder.

  • Folder exclusions support wildcards. These wildcards are supported:

    ? - Each question mark masks one character.

    * - Each star masks zero or more characters.

  • It is not advised to add * in the middle of path exclusions, as it may hurt the performance.

  • Exclude network files by path \\ServerName\Share\folder\.This excludes all files located under \ServerName\Share\folder\\.

You can exclude these elements from the Anti-Exploit protection:

  • Protection Name - Predefined malware signature

  • Process - To exclude an executable

Currently there are five different Anti-Exploit protections available. Following is a list of the protections per-name.

Syntax for exclusions:

Protection

Protection Rule Name

Import-Export Address Table Parsing

Gen.Exploiter.IET

Return Oriented Programming

Gen.Exploiter.ROP

VB Script God Mode

Gen.Exploiter.VBS

Stack Pivoting

Gen.Exploiter.SP

RDP Vulnerability (CVE-2019-0708)

Gen.Exploiter.CVE_2019_0708

RCE Vulnerability (CVE-2019-1181)

Gen.Exploiter.CVE_2019_1181/2

Excluding a protection means that files will not be monitored by Anti-Exploit.

  • Process and protection

    • C:\Program Files\MyTrustedDirectory\excludeMe.exe

    • Gen.Exploiter.ROP

  • Protection

    • Gen.Exploiter.ROP

You can exclude these elements from the Anti-Ransomware and Behavioral Guard protection:

  • Folder – To exclude a folder or non-executable files

  • Process - To exclude an executable by element, MD5, and signer.

  • Certificate - To exclude processes based on the company that signs the certificate.

  • Protection - To exclude signature by it's name.

Notes:

  • Excluded process will be monitored but not triggered.

  • Excluded protection will not be triggered.

Syntax:

  • Folder can contain environment variables

  • Folder cannot contain wildcards (*)

  • By default, sub-folders are included.

Excluding a Certificate / Process means that files modified / created by a certain process will not be backed up, or monitored by Anti-Ransomware and Behavioral Guard.

Windows

Syntax:

  • You must specify the process name or full path to the process

  • Exclusion can contain environment variables

  • Wildcards are supported.

    Note - This is supported with Endpoint Security client version E86.70 and higher.

Examples:

  • Full path

    • C:\Program Files\MyTrustedDirectory\

  • Process

    • C:\Program Files\MyTrustedDirectory\ExcludeMe.exe

  • Certificate

    • Microsoft

  • md5: 0123456789012345

  • Protection: win.blocker

macOS

Syntax:

  • You must specify full path or wildcard

  • Path or file name can contain wildcards

  • Paths are case sensitive

Examples:

  • Full path or Xcode exclusion:
    :/Appliations/Xcode.app/Contents?MacOS/Xcode

  • To cover all Xcode-related executables (not only GUI app):
    /Applicatoins/Xcode.app/*

Excluding a Certificate / Process means that files modified / created by a certain process will not be backed up, or monitored by Anti-Ransomware and Behavioral Guard.

You can exclude these elements from monitoring:

  • Process - To exclude an executable by element, MD5 and signer.

  • Certificate - To exclude processes based on the company that signs the certificate.

Syntax:

  • Process can be excluded by name only, or by full path.

    For example C:\Program Files\MyTrustedDirectory\excludeMe.exe

  • Full path can contain environment variables.

  • Full path CANNOT contain wildcards

  • Certificate

    • Microsoft

  • md5:0123456789012345

    • Exclude a process by hash.

  • Excluding a Certificate / Process means that files modified / created by a certain process will not be backed up, or monitored by Anti-Ransomware and Behavioral Guard.

You can exclude a file or process from quarantine. You can define the exclusion by these criteria: certificate, file, folder, MD5 hash, SHA1 hash, and file extension. When an element is excluded from quarantine, even if there is a detection of malware, the file is not quarantined.