Smart Exclusions

Smart Exclusions allows you to add exclusions to one or more capabilities and types easily, whereas the Legacy Exclusions allows you to add exclusion only for one capability at a time.

With Smart Exclusions, you can:

• Set exclusions to all capabilities and operating systems at once.

• Use standard syntax across all exclusion types.

• Use wider range of wildcard characters for nuanced and customized exclusion patterns.

• Easily enable or disable exclusions with a simple toggle button without the need to delete exclusions temporarily.

Note - Smart Exclusions is supported only with Endpoint Security Client version E87.52 and higher for Windows and E87.50 and higher for macOS.

Adding Exclusions to a Specific Rule

00:00: Smart Exclusions allows you to add exclusions to multiple capabilities easily. An exclusion is an entity, such as an IP address or domain that you want to exclude from the inspection. While, this video specifically details the steps for Harmony Endpoint, it is also applicable to Harmony Browse. 00:19: Log in to the Infinity Portal, access Harmony Endpoint, and click Policy. 00:24: Expand Threat Prevention and click Policy Capabilities and select a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.. 00:29: In the Capability and Exclusion pane, click Exclusions Center. 00:34: Click "Go To Smart Exclusions". 00:37: You can add an exclusion for a single or multi exclusion type. This video covers the procedure to add an exclusion for a single exclusion type. To add a single exclusion type, click new and select single method exclusion. 00:51: Enter a name for the exclusion and make sure that the status is enabled. 00:56: Select an exclusion type. 00:59: You can either apply the exclusion to all the supported capabilities or to specific supported capabilities. 01:07: Enter the details and click save. 01:10: The new exclusion is added to the table. 01:13: Thank you for watching this video.

To add a new exclusion to a specific rule:

1. Go to Policy > Threat Prevention > Policy Capabilities.

2. Select the rule for which you want to create the exclusion.

3. In the Capabilities & Exclusions pane, click Exclusions Center.

4. Click Go to Smart Exclusions.

   

5. Click or click Create New Exclusion.

6. To add an exclusion for only one exclusion type:

   

   1. Click Single-method exclusion.

      A wizard appears.

      

   2. In the Exclusion name field, enter a name for exclusion.

   3. To enable the exclusion, toggle Status to Enabled.

   4. From the Exclusion Type list, select the exclusion type.

   5. From the Operating system list, select the operating system to which you want to apply the exclusion. For example, endpoints running Windows operating system only. It is not available if you select All supported in the Apply to the following capabilities section.

      Caution - If you make exclusions in the Forensics Monitoring capability, the activities of the excluded processes are omitted from forensic analysis. As a result, you cannot query for these activities in Threat Hunting and they are excluded from Horizon XDR/XPR analysis, detections, and the creation of security incidents related to sophisticated attacks.

   6. In the Apply to the following capabilities section:

      • To apply the exclusion to all capabilities, select All supported.

      • To apply the capabilities to specific capabilities, select Select specific and from the Capabilities list, select the capabilities.

        Notes: Capabilities not relevant to the selected group are not available. For supported syntax and capabilities for exclusion types, see sk181679.

   7. If the Exclusion Type is	Then
      Process path	In the Process path field, enter the path of the process. For example, C:\windows\system\cmd.exe. To specify additional criteria, expand Process path options, and select: Case sensitive Trusted process Argument and if required, select Regex, and in the Argument value field, enter the value.
      Process hash	From the Process hash type list, select the hash type: MD5 SHA1 SHA2 cdhash (for macOS only) In the Process hash value, enter the value.
      Process signer	In the Process signer value field, enter the process signer value. For example, Check Point Ltd.
      File path	In the File path field, enter the path of the file. For example, C:\windows\system\. To specify additional criteria, expand File path options, and select Case sensitive.
      File hash	From the File hash type list, select the hash type: MD5 SHA1 SHA2 cdhash (for macOS only) In the File hash value, enter the value.
      File signer	In the File signer value field, enter the process signer value. For example, Check Point Ltd.
      IP Range	In the IP Range fields, enter the IP address range. For example, to enter IPv4 range, enter 192.168.1.30-192.168.1.198. For example, to enter IPv6 range, enter 2001::1-2001::254.
      Url	In the URL field, enter the URL.
      Domain	In the Domain field, enter the domain. For example, checkpoint.com.
      Infection	In the Infection/Protection field, enter the infection (for example, not-a-virus:Adware.Win32.BroAssist.a) or a protection (for example, Gen.Exploiter.ROP).

   8. (Optional) In the Comment field, enter comments.

   9. Click Save.

7. To add exclusions for multiple types of exclusions:

   1. Click Multi-method exclusion.

      A wizard appears.

      

   2. In the Exclusion name field, enter a name for exclusion.

   3. To enable the exclusion, toggle Status to Enabled.

   4. From the Exclusion Group list, select the exclusion type.

   5. From the Operating system list, select the operating system to which you want to apply the exclusion. For example, endpoints running Windows operating system only. It is not available if you select All supported in the Apply to the following capabilities section.

      Caution - If you make exclusions in the Forensics Monitoring capability, the activities of the excluded processes are omitted from forensic analysis. As a result, you cannot query for these activities in Threat Hunting and they are excluded from Horizon XDR/XPR analysis, detections, and the creation of security incidents related to sophisticated attacks.

   6. In the Apply to the following capabilities section:

      • To apply the exclusion to all capabilities, select All supported.

      • To apply the capabilities to specific capabilities, select Select specific and from the Capabilities list, select the capabilities. To enable Chained Exclusions, in the Chained Exclusion are available for section, turn on the Inherit exclusion to child processes button. It automatically excludes all the child processes of the excluded process.

        Notes: Capabilities not relevant to the selected group are not available. Anti-Exploit capability supports only Process path and Infection/Protection exclusions.

   7. To enable Chained Exclusions, in the Chained Exclusion are available for section, turn on the Inherit exclusion to child processes button. It automatically excludes all the child processes of the excluded process.

      Notes: Chained exclusion is supported only with the Exclusion group of the type System and to these specific exclusions: Process path Process original name Process hash Process signer With the Harmony Endpoint Security Client version E88 and higher, it supports only the Forensics Monitoring capability. With the Harmony Endpoint Security Client version E88.20 and higher, it additionally supports Threat Emulation, Anti-Bot, Anti-Malware (DHS compliant), SSLi and URL Filtering capabilities.

      

   8. (Optional) In the Comment field, enter comments.

   9. Click Next.

      Note - For supported syntax and capabilities for exclusion types, see sk181679.

   10. If the Exclusion Group is	Exclusion Type	Then
       System	Process path	In the Process path field, enter the path of the process. For example, C:\windows\system\cmd.exe. To specify additional criteria, expand Process path options, and select: Case sensitive Trusted process Argument and if required, select Regex, and in the Argument value field, enter the value.
       	Process original name	Enter the name of the process. For example, cmd.exe. Supported only for Windows-based endpoints.
       	Process hash	From the Process hash type list, select the hash type: MD5 SHA1 SHA2 cdhash (for macOS only) In the Process hash value, enter the value.
       	Process signer	In the Process signer value field, enter the process signer value. For example, Check Point Ltd.
       	File path	In the File path field, enter the path of the file. For example, C:\windows\system\. To specify additional criteria, expand File path options, and select Case sensitive.
       	File hash	From the File hash type list, select the hash type: MD5 SHA1 SHA2 cdhash (for macOS only) In the File hash value, enter the value.
       	File signer	In the File signer value field, enter the process signer value. For example, Check Point Ltd.
       Web Asset	IP Range	In the IP Range fields, enter the IP address range. For example, to enter IPv4 range, enter 192.168.1.30-192.168.1.198. For example, to enter IPv6 range, enter 2001::1-2001::254.
       	Url	In the URL field, enter the URL.
       	Domain	In the Domain field, enter the domain. For example, checkpoint.com.
       Infection/Detection	Infection	In the Infection/Protection field, enter the infection (for example, not-a-virus:Adware.Win32.BroAssist.a) or a protection (for example, Gen.Exploiter.ROP).

   11. Click Finish.

8. Click OK.

9. Click Save & Install.

Note - You can change Single-method exclusion to Multi-method exclusion. See Managing Exclusions.

Adding Global Exclusions

To add global exclusions that apply to all the rules:

1. Go to Policy > Threat Prevention > Global Exclusions.

2. Click Go to Smart Exclusions.

   

3. Click or click Create New Exclusion.

4. To add an exclusion for only one exclusion type:

   

   1. Click Single-method exclusion.

      A wizard appears.

      

   2. In the Exclusion name field, enter a name for exclusion.

   3. To enable the exclusion, toggle Status to Enabled.

   4. From the Exclusion Type list, select the exclusion type.

   5. From the Operating system list, select the operating system to which you want to apply the exclusion. For example, endpoints running Windows operating system only. It is not available if you select All supported in the Apply to the following capabilities section.

      Caution - If you make exclusions in the Forensics Monitoring capability, the activities of the excluded processes are omitted from forensic analysis. As a result, you cannot query for these activities in Threat Hunting and they are excluded from Horizon XDR/XPR analysis, detections, and the creation of security incidents related to sophisticated attacks.

   6. In the Apply to the following capabilities section:

      • To apply the exclusion to all capabilities, select All supported.

      • To apply the capabilities to specific capabilities, select Select specific and from the Capabilities list, select the capabilities.

        Notes: Capabilities not relevant to the selected group are not available. For supported syntax and capabilities for exclusion types, see sk181679.

   7. If the Exclusion Type is	Then
      Process path	In the Process path field, enter the path of the process. For example, C:\windows\system\cmd.exe. To specify additional criteria, expand Process path options, and select: Case sensitive Trusted process Argument and if required, select Regex, and in the Argument value field, enter the value.
      Process hash	From the Process hash type list, select the hash type: MD5 SHA1 SHA2 cdhash (for macOS only) In the Process hash value, enter the value.
      Process signer	In the Process signer value field, enter the process signer value. For example, Check Point Ltd.
      File path	In the File path field, enter the path of the file. For example, C:\windows\system\. To specify additional criteria, expand File path options, and select Case sensitive.
      File hash	From the File hash type list, select the hash type: MD5 SHA1 SHA2 cdhash (for macOS only) In the File hash value, enter the value.
      File signer	In the File signer value field, enter the process signer value. For example, Check Point Ltd.
      IP Range	In the IP Range fields, enter the IP address range. For example, to enter IPv4 range, enter 192.168.1.30-192.168.1.198. For example, to enter IPv6 range, enter 2001::1-2001::254.
      Url	In the URL field, enter the URL.
      Domain	In the Domain field, enter the domain. For example, checkpoint.com.
      Infection	In the Infection/Protection field, enter the infection (for example, not-a-virus:Adware.Win32.BroAssist.a) or a protection (for example, Gen.Exploiter.ROP).

   8. (Optional) In the Comment field, enter comments.

   9. Click Save.

5. To add exclusions for multiple types of exclusions:

   1. Click Multi-method exclusion.

      A wizard appears.

      

   2. In the Exclusion name field, enter a name for exclusion.

   3. To enable the exclusion, toggle Status to Enabled.

   4. From the Exclusion Group list, select the exclusion type.

   5. From the Operating system list, select the operating system to which you want to apply the exclusion. For example, endpoints running Windows operating system only. It is not available if you select All supported in the Apply to the following capabilities section.

      Caution - If you make exclusions in the Forensics Monitoring capability, the activities of the excluded processes are omitted from forensic analysis. As a result, you cannot query for these activities in Threat Hunting and they are excluded from Horizon XDR/XPR analysis, detections, and the creation of security incidents related to sophisticated attacks.

   6. In the Apply to the following capabilities section:

      • To apply the exclusion to all capabilities, select All supported.

      • To apply the capabilities to specific capabilities, select Select specific and from the Capabilities list, select the capabilities. To enable Chained Exclusions, in the Chained Exclusion are available for section, turn on the Inherit exclusion to child processes button. It automatically excludes all the child processes of the excluded process.

        Notes: Capabilities not relevant to the selected group are not available. Anti-Exploit capability supports only Process path and Infection/Protection exclusions.

   7. To enable Chained Exclusions, in the Chained Exclusion are available for section, turn on the Inherit exclusion to child processes button. It automatically excludes all the child processes of the excluded process.

      Notes: Chained exclusion is supported only with the Exclusion group of the type System and to these specific exclusions: Process path Process original name Process hash Process signer With the Harmony Endpoint Security Client version E88 and higher, it supports only the Forensics Monitoring capability. With the Harmony Endpoint Security Client version E88.20 and higher, it additionally supports Threat Emulation, Anti-Bot, Anti-Malware (DHS compliant), SSLi and URL Filtering capabilities.

      

   8. (Optional) In the Comment field, enter comments.

   9. Click Next.

      Note - For supported syntax and capabilities for exclusion types, see sk181679.

   10. If the Exclusion Group is	Exclusion Type	Then
       System	Process path	In the Process path field, enter the path of the process. For example, C:\windows\system\cmd.exe. To specify additional criteria, expand Process path options, and select: Case sensitive Trusted process Argument and if required, select Regex, and in the Argument value field, enter the value.
       	Process original name	Enter the name of the process. For example, cmd.exe. Supported only for Windows-based endpoints.
       	Process hash	From the Process hash type list, select the hash type: MD5 SHA1 SHA2 cdhash (for macOS only) In the Process hash value, enter the value.
       	Process signer	In the Process signer value field, enter the process signer value. For example, Check Point Ltd.
       	File path	In the File path field, enter the path of the file. For example, C:\windows\system\. To specify additional criteria, expand File path options, and select Case sensitive.
       	File hash	From the File hash type list, select the hash type: MD5 SHA1 SHA2 cdhash (for macOS only) In the File hash value, enter the value.
       	File signer	In the File signer value field, enter the process signer value. For example, Check Point Ltd.
       Web Asset	IP Range	In the IP Range fields, enter the IP address range. For example, to enter IPv4 range, enter 192.168.1.30-192.168.1.198. For example, to enter IPv6 range, enter 2001::1-2001::254.
       	Url	In the URL field, enter the URL.
       	Domain	In the Domain field, enter the domain. For example, checkpoint.com.
       Infection/Detection	Infection	In the Infection/Protection field, enter the infection (for example, not-a-virus:Adware.Win32.BroAssist.a) or a protection (for example, Gen.Exploiter.ROP).

   11. Click Finish.

6. Click Save.

   The exclusions are automatically enforced on the client without installing the policy.

Note - You can change Single-method exclusion to Multi-method exclusion. See Managing Exclusions.

Migrating Legacy Exclusions

Best Practice - Check Point recommends to follow these steps before migrating to Smart Exclusions: Go to Policy > Threat Prevention > Policy Capabilities Pick a rule to test the migration and clone the rule. Place the newly created rule at the top. Under Applied To, select a test group. Click Exclusion Center for the newly created rule and export the legacy exclusions for backup purposes. For the newly created rule, migrate to Smart Exclusions. See To migrate legacy exclusions to smart exclusions:. Click Save and Install. Go to Logs and filter the logs for the computer in the test group. Verify that there are no false positives and all the detections are excluded correctly. If there are issues, contact Check Point Support. Perform the steps 1 through 8 for each rule at a time. Repeat the process for Global Exclusions.

To migrate legacy exclusions to smart exclusions:

1. To migrate legacy exclusions for a rule:

   1. Go to Policy > Threat Prevention > Policy Capabilities.

   2. Select the rule.

   3. In the Capabilities & Exclusions pane, click Exclusions Center.

2. To migrate legacy global exclusions, go to Policy > Threat Prevention > Global Exclusions.

3. Click Go to Smart Exclusions.

4. To migrate all legacy exclusions:

   1. Click Migrate from Legacy Exclusions (available only if there are no exclusions) or click and click All exclusions from legacy.

      The Import All Legacy Exclusions window appears.

   2. (Recommended) To remove all the legacy exclusions after you migrate to smart exclusions, select Remove all the imported exclusions from legacy.

   3. Click Import.

5. To migrate specific exclusions:

   1. Click and Select exclusions from legacy.

      The Transfer from Legacy - Select Exclusions window appears.

   2. Select the exclusions.

   3. Click OK.

      The exclusions are added to smart exclusions.

6. For specific rule, click OK and Save & Install.

7. For global exclusions, click Save.

   The exclusions are automatically enforced on the client without installing the policy.

Importing and Exporting Exclusions

To import or export exclusions:

1. To import or export exclusions for a rule:

   1. Go to Policy > Threat Prevention > Policy Capabilities.

   2. Select the rule.

   3. In the Capabilities & Exclusions pane, click Exclusions Center.

2. To import or export global exclusions, go to Policy > Threat Prevention > Global Exclusions.

3. Click Go To Smart Exclusions.

4. To import exclusions:

   1. Click and click Import Files.

   2. Browse and select the import file in the JSON format.

   3. For specific rule, click OK and Save & Install.

   4. For global exclusions, click Save.

      The exclusions are automatically enforced on the client without installing the policy.

5. To export exclusions, click .

   The file is exported in the JSON format.

Managing Exclusions

To manage exclusions:

1. To manage smart exclusions for a rule:

   1. Go to Policy > Threat Prevention > Policy Capabilities.

   2. Select the rule.

   3. In the Capabilities & Exclusions pane, click Exclusions Center.

2. To manage global smart exclusions, go to Policy > Threat Prevention > Global Exclusions.

3. Click Go To Smart Exclusions.

4. To edit an exclusion:

   • Select the exclusion and click .

   • Right-click the row and click Edit.

     To a change Single-method exclusion to Multi-method exclusion, click Edit in multi-value wizard at the bottom of the wizard.

     Refer to Adding Exclusions to a Specific Rule to edit the exclusion.

5. To delete exclusions:

   • Select the exclusions and click .

   • Click the row and at the end of the row, click .

   • Select the exclusions, right-click and click Delete.

6. To duplicate exclusions:

   • Select the exclusion and click .

   • Click the row and at the end of the row, click .

   • Select the exclusion, right-click and click Duplicate.

7. To enable or disable the exclusion, toggle the button in the Status column.

8. To edit Name, Capabilities and Comment:

   1. Click the row.

   2. At the end of the row, click .

   3. Edit the details.

   4. Click .

9. For a specific rule, click OK and Save & Install.

10. For global exclusions, click Save.

    The exclusions are automatically enforced on the client without installing the policy.