Smart Exclusions

Smart Exclusions allows you to add exclusions to one or more capabilities and types easily, whereas the Legacy Exclusions allows you to add exclusion only for one capability at a time.

With Smart Exclusions, you can:

  • Set exclusions to all capabilities and operating systems at once.

  • Use standard syntax across all exclusion types.

  • Use wider range of wildcard characters for nuanced and customized exclusion patterns.

  • Easily enable or disable exclusions with a simple toggle button without the need to delete exclusions temporarily.

Note - Smart Exclusions is supported only with Endpoint Security Client version E87.52 and higher for Windows and E87.50 and higher for macOS.

Adding Exclusions to a Specific Rule

00:00: Smart Exclusions allows you to add exclusions to multiple capabilities easily. An exclusion is an entity, such as an IP address or domain that you want to exclude from the inspection. While, this video specifically details the steps for Harmony Endpoint, it is also applicable to Harmony Browse. 00:19: Log in to the Infinity Portal, access Harmony Endpoint, and click Policy. 00:24: Expand Threat Prevention and click Policy Capabilities and select a . 00:29: In the Capability and Exclusion pane, click Exclusions Center. 00:34: Click "Go To Smart Exclusions". 00:37: You can add an exclusion for a single or multi exclusion type. This video covers the procedure to add an exclusion for a single exclusion type. To add a single exclusion type, click new and select single method exclusion. 00:51: Enter a name for the exclusion and make sure that the status is enabled. 00:56: Select an exclusion type. 00:59: You can either apply the exclusion to all the supported capabilities or to specific supported capabilities. 01:07: Enter the details and click save. 01:10: The new exclusion is added to the table. 01:13: Thank you for watching this video.

To add a new exclusion to a specific rule:

  1. Go to Policy > Threat Prevention > Policy Capabilities.

  2. Select the rule for which you want to create the exclusion.

  3. In the Capabilities & Exclusions pane, click Exclusions Center.

  4. Click Go to Smart Exclusions.

  5. Click or click Create New Exclusion.

    1. Click Single-method exclusion.

      A wizard appears.

    2. In the Exclusion name field, enter a name for exclusion.

    3. To enable the exclusion, toggle Status to Enabled.

    4. From the Exclusion Type list, select the exclusion type.

    5. From the Operating system list, select the operating system to which you want to apply the exclusion. For example, endpoints running Windows operating system only. It is not available if you select All supported in the Apply to the following capabilities section.

      Caution - If you make exclusions in the Forensics Monitoring capability, the activities of the excluded processes are omitted from forensic analysis. As a result, you cannot query for these activities in Threat Hunting and they are excluded from Horizon XDR/XPR analysis, detections, and the creation of security incidents related to sophisticated attacks.

    6. In the Apply to the following capabilities section:

      • To apply the exclusion to all capabilities, select All supported.

      • To apply the capabilities to specific capabilities, select Select specific and from the Capabilities list, select the capabilities.

        Notes:

        • Capabilities not relevant to the selected group are not available.

        • For supported syntax and capabilities for exclusion types, see sk181679.

      If the Exclusion Type is

      Then
      Process path

      1. In the Process path field, enter the path of the process. For example, C:\windows\system\cmd.exe.

      2. To specify additional criteria, expand Process path options, and select:

        • Case sensitive

        • Trusted process

        • Argument and if required, select Regex, and in the Argument value field, enter the value.
      Process hash

      1. From the Process hash type list, select the hash type:

        • MD5

        • SHA1

        • SHA2

        • cdhash (for macOS only)

      2. In the Process hash value, enter the value.
      Process signer

      In the Process signer value field, enter the process signer value. For example, Check Point Ltd.
      File path

      1. In the File path field, enter the path of the file. For example, C:\windows\system\.

      2. To specify additional criteria, expand File path options, and select Case sensitive.
      File hash

      1. From the File hash type list, select the hash type:

        • MD5

        • SHA1

        • SHA2

        • cdhash (for macOS only)

      2. In the File hash value, enter the value.
      File signer

      In the File signer value field, enter the process signer value. For example, Check Point Ltd.

      IP Range

      In the IP Range fields, enter the IP address range.

      For example, to enter IPv4 range, enter 192.168.1.30-192.168.1.198.

      For example, to enter IPv6 range, enter 2001::1-2001::254.

      Url

      In the URL field, enter the URL.

      Domain

      In the Domain field, enter the domain. For example, checkpoint.com.

      Infection

      In the Infection/Protection field, enter the infection (for example, not-a-virus:Adware.Win32.BroAssist.a) or a protection (for example, Gen.Exploiter.ROP).

    7. (Optional) In the Comment field, enter comments.

    8. Click Save.

    1. Click Multi-method exclusion.

      A wizard appears.

    2. In the Exclusion name field, enter a name for exclusion.

    3. To enable the exclusion, toggle Status to Enabled.

    4. From the Exclusion Group list, select the exclusion type.

    5. From the Operating system list, select the operating system to which you want to apply the exclusion. For example, endpoints running Windows operating system only. It is not available if you select All supported in the Apply to the following capabilities section.

      Caution - If you make exclusions in the Forensics Monitoring capability, the activities of the excluded processes are omitted from forensic analysis. As a result, you cannot query for these activities in Threat Hunting and they are excluded from Horizon XDR/XPR analysis, detections, and the creation of security incidents related to sophisticated attacks.

    6. In the Apply to the following capabilities section:

    7. To enable Chained Exclusions, in the Chained Exclusion are available for section, turn on the Inherit exclusion to child processes button. It automatically excludes all the child processes of the excluded process.

      Notes:

      • Chained exclusion is supported only with the Exclusion group of the type System and to these specific exclusions:

        • Process path

        • Process original name

        • Process hash

        • Process signer

      • For Harmony Endpoint Security Client version E88.40 and lower, it is mandatory to provide either Process path or the Process signer parameter. All the other parameters are optional.

      • With the Harmony Endpoint Security Client version E88 and higher, it supports only the Forensics Monitoring capability.

      • With the Harmony Endpoint Security Client version E88.20 and higher, it additionally supports Threat Emulation, Anti-Bot, Anti-Malware (DHS compliant), SSLi and URL Filtering capabilities.

    8. (Optional) In the Comment field, enter comments.

    9. Click Next.

      Note - For supported syntax and capabilities for exclusion types, see sk181679.

      If the Exclusion Group is

      Exclusion Type

      Then
      System Process path

      1. In the Process path field, enter the path of the process. For example, C:\windows\system\cmd.exe.

      2. To specify additional criteria, expand Process path options, and select:

        • Case sensitive

        • Trusted process

        • Argument and if required, select Regex, and in the Argument value field, enter the value.
      Process original name 1

      Enter the process original name. For example, Cmd.exe.

      Supported only for Windows-based endpoints.

      Notes -

      • To find the original name of the process:

        1. Right-click on the executable file.

        2. Go to Properties > Details > Original filename.

      • Process original name is case-sensitive.
      Process hash

      1. From the Process hash type list, select the hash type:

        • MD5

        • SHA1

        • SHA2

        • cdhash (for macOS only)

      2. In the Process hash value, enter the value.
      Process signer 1

      In the Process signer value field, enter the process signer value. For example, Check Point Ltd.
      File path

      1. In the File path field, enter the path of the file. For example, C:\windows\system\.

      2. To specify additional criteria, expand File path options, and select Case sensitive.
      File hash

      1. From the File hash type list, select the hash type:

        • MD5

        • SHA1

        • SHA2

        • cdhash (for macOS only)

      2. In the File hash value, enter the value.
      File signer

      In the File signer value field, enter the process signer value. For example, Check Point Ltd.

      Web Asset

      IP Range

      In the IP Range fields, enter the IP address range.

      For example, to enter IPv4 range, enter 192.168.1.30-192.168.1.198.

      For example, to enter IPv6 range, enter 2001::1-2001::254.

      Url

      In the URL field, enter the URL.

      Domain

      In the Domain field, enter the domain. For example, checkpoint.com.

      Infection/Detection

      Infection

      In the Infection/Protection field, enter the infection (for example, not-a-virus:Adware.Win32.BroAssist.a) or a protection (for example, Gen.Exploiter.ROP).

      1 It is mandatory to provide either Process original name or the Process signer parameter. All the other parameters are optional.

    10. Click Finish.

  8. Click OK.

  9. Click Save & Install.

    		10.

    Note - You can change Single-method exclusion to Multi-method exclusion. See Managing Exclusions.

Adding Global Exclusions

To add global exclusions that apply to all the rules:

  1. Go to Policy > Threat Prevention > Global Exclusions.

  2. Click Go to Smart Exclusions.

  3. Click or click Create New Exclusion.

    1. Click Single-method exclusion.

      A wizard appears.

    2. In the Exclusion name field, enter a name for exclusion.

    3. To enable the exclusion, toggle Status to Enabled.

    4. From the Exclusion Type list, select the exclusion type.

    5. From the Operating system list, select the operating system to which you want to apply the exclusion. For example, endpoints running Windows operating system only. It is not available if you select All supported in the Apply to the following capabilities section.

      Caution - If you make exclusions in the Forensics Monitoring capability, the activities of the excluded processes are omitted from forensic analysis. As a result, you cannot query for these activities in Threat Hunting and they are excluded from Horizon XDR/XPR analysis, detections, and the creation of security incidents related to sophisticated attacks.

    6. In the Apply to the following capabilities section:

      • To apply the exclusion to all capabilities, select All supported.

      • To apply the capabilities to specific capabilities, select Select specific and from the Capabilities list, select the capabilities.

        Notes:

        • Capabilities not relevant to the selected group are not available.

        • For supported syntax and capabilities for exclusion types, see sk181679.

      If the Exclusion Type is

      Then
      Process path

      1. In the Process path field, enter the path of the process. For example, C:\windows\system\cmd.exe.

      2. To specify additional criteria, expand Process path options, and select:

        • Case sensitive

        • Trusted process

        • Argument and if required, select Regex, and in the Argument value field, enter the value.
      Process hash

      1. From the Process hash type list, select the hash type:

        • MD5

        • SHA1

        • SHA2

        • cdhash (for macOS only)

      2. In the Process hash value, enter the value.
      Process signer

      In the Process signer value field, enter the process signer value. For example, Check Point Ltd.
      File path

      1. In the File path field, enter the path of the file. For example, C:\windows\system\.

      2. To specify additional criteria, expand File path options, and select Case sensitive.
      File hash

      1. From the File hash type list, select the hash type:

        • MD5

        • SHA1

        • SHA2

        • cdhash (for macOS only)

      2. In the File hash value, enter the value.
      File signer

      In the File signer value field, enter the process signer value. For example, Check Point Ltd.

      IP Range

      In the IP Range fields, enter the IP address range.

      For example, to enter IPv4 range, enter 192.168.1.30-192.168.1.198.

      For example, to enter IPv6 range, enter 2001::1-2001::254.

      Url

      In the URL field, enter the URL.

      Domain

      In the Domain field, enter the domain. For example, checkpoint.com.

      Infection

      In the Infection/Protection field, enter the infection (for example, not-a-virus:Adware.Win32.BroAssist.a) or a protection (for example, Gen.Exploiter.ROP).

    7. (Optional) In the Comment field, enter comments.

    8. Click Save.

    1. Click Multi-method exclusion.

      A wizard appears.

    2. In the Exclusion name field, enter a name for exclusion.

    3. To enable the exclusion, toggle Status to Enabled.

    4. From the Exclusion Group list, select the exclusion type.

    5. From the Operating system list, select the operating system to which you want to apply the exclusion. For example, endpoints running Windows operating system only. It is not available if you select All supported in the Apply to the following capabilities section.

      Caution - If you make exclusions in the Forensics Monitoring capability, the activities of the excluded processes are omitted from forensic analysis. As a result, you cannot query for these activities in Threat Hunting and they are excluded from Horizon XDR/XPR analysis, detections, and the creation of security incidents related to sophisticated attacks.

    6. In the Apply to the following capabilities section:

    7. To enable Chained Exclusions, in the Chained Exclusion are available for section, turn on the Inherit exclusion to child processes button. It automatically excludes all the child processes of the excluded process.

      Notes:

      • Chained exclusion is supported only with the Exclusion group of the type System and to these specific exclusions:

        • Process path

        • Process original name

        • Process hash

        • Process signer

      • For Harmony Endpoint Security Client version E88.40 and lower, it is mandatory to provide either Process path or the Process signer parameter. All the other parameters are optional.

      • With the Harmony Endpoint Security Client version E88 and higher, it supports only the Forensics Monitoring capability.

      • With the Harmony Endpoint Security Client version E88.20 and higher, it additionally supports Threat Emulation, Anti-Bot, Anti-Malware (DHS compliant), SSLi and URL Filtering capabilities.

    8. (Optional) In the Comment field, enter comments.

    9. Click Next.

      Note - For supported syntax and capabilities for exclusion types, see sk181679.

      If the Exclusion Group is

      Exclusion Type

      Then
      System Process path

      1. In the Process path field, enter the path of the process. For example, C:\windows\system\cmd.exe.

      2. To specify additional criteria, expand Process path options, and select:

        • Case sensitive

        • Trusted process

        • Argument and if required, select Regex, and in the Argument value field, enter the value.
      Process original name 1

      Enter the process original name. For example, Cmd.exe.

      Supported only for Windows-based endpoints.

      Notes -

      • To find the original name of the process:

        1. Right-click on the executable file.

        2. Go to Properties > Details > Original filename.

      • Process original name is case-sensitive.
      Process hash

      1. From the Process hash type list, select the hash type:

        • MD5

        • SHA1

        • SHA2

        • cdhash (for macOS only)

      2. In the Process hash value, enter the value.
      Process signer 1

      In the Process signer value field, enter the process signer value. For example, Check Point Ltd.
      File path

      1. In the File path field, enter the path of the file. For example, C:\windows\system\.

      2. To specify additional criteria, expand File path options, and select Case sensitive.
      File hash

      1. From the File hash type list, select the hash type:

        • MD5

        • SHA1

        • SHA2

        • cdhash (for macOS only)

      2. In the File hash value, enter the value.
      File signer

      In the File signer value field, enter the process signer value. For example, Check Point Ltd.

      Web Asset

      IP Range

      In the IP Range fields, enter the IP address range.

      For example, to enter IPv4 range, enter 192.168.1.30-192.168.1.198.

      For example, to enter IPv6 range, enter 2001::1-2001::254.

      Url

      In the URL field, enter the URL.

      Domain

      In the Domain field, enter the domain. For example, checkpoint.com.

      Infection/Detection

      Infection

      In the Infection/Protection field, enter the infection (for example, not-a-virus:Adware.Win32.BroAssist.a) or a protection (for example, Gen.Exploiter.ROP).

      1 It is mandatory to provide either Process original name or the Process signer parameter. All the other parameters are optional.

    10. Click Finish.

  6. Click Save.

    The exclusions are automatically enforced on the client without installing the policy.

    		7.

    Note - You can change Single-method exclusion to Multi-method exclusion. See Managing Exclusions.

Migrating Legacy Exclusions

Best Practice - Check Point recommends to follow these steps before migrating to Smart Exclusions:

  1. Go to Policy > Threat Prevention > Policy Capabilities

  2. Pick a rule to test the migration and clone the rule.

  3. Place the newly created rule at the top.

  4. Under Applied To, select a test group.

  5. Click Exclusion Center for the newly created rule and export the legacy exclusions for backup purposes.

  6. For the newly created rule, migrate to Smart Exclusions. See To migrate legacy exclusions to smart exclusions:.

  7. Click Save and Install.

  8. Go to Logs and filter the logs for the computer in the test group. Verify that there are no false positives and all the detections are excluded correctly. If there are issues, contact Check Point Support.

  9. Perform the steps 1 through 8 for each rule at a time.

  10. Repeat the process for Global Exclusions.

To migrate legacy exclusions to smart exclusions:

  1. To migrate legacy exclusions for a rule:

    1. Go to Policy > Threat Prevention > Policy Capabilities.

    2. Select the rule.

    3. In the Capabilities & Exclusions pane, click Exclusions Center.

  2. To migrate legacy global exclusions, go to Policy > Threat Prevention > Global Exclusions.

  3. Click Go to Smart Exclusions.

  4. To migrate all legacy exclusions:

    1. Click Migrate from Legacy Exclusions (available only if there are no exclusions) or click and click All exclusions from legacy.

      The Import All Legacy Exclusions window appears.

    2. (Recommended) To remove all the legacy exclusions after you migrate to smart exclusions, select Remove all the imported exclusions from legacy.

    3. Click Import.

  5. To migrate specific exclusions:

    1. Click and Select exclusions from legacy.

      The Transfer from Legacy - Select Exclusions window appears.

    2. Select the exclusions.

    3. Click OK.

      The exclusions are added to smart exclusions.

  6. For specific rule, click OK and Save & Install.

  7. For global exclusions, click Save.

    The exclusions are automatically enforced on the client without installing the policy.

Importing and Exporting Exclusions

To import or export exclusions:

  1. To import or export exclusions for a rule:

    1. Go to Policy > Threat Prevention > Policy Capabilities.

    2. Select the rule.

    3. In the Capabilities & Exclusions pane, click Exclusions Center.

  2. To import or export global exclusions, go to Policy > Threat Prevention > Global Exclusions.

  3. Click Go To Smart Exclusions.

  4. To import exclusions:

    1. Click and click Import Files.

    2. Browse and select the import file in the JSON format.

    3. For specific rule, click OK and Save & Install.

    4. For global exclusions, click Save.

      The exclusions are automatically enforced on the client without installing the policy.

  5. To export exclusions, click .

    The file is exported in the JSON format.

Managing Exclusions

To manage exclusions:

  1. To manage smart exclusions for a rule:

    1. Go to Policy > Threat Prevention > Policy Capabilities.

    2. Select the rule.

    3. In the Capabilities & Exclusions pane, click Exclusions Center.

  2. To manage global smart exclusions, go to Policy > Threat Prevention > Global Exclusions.

  3. Click Go To Smart Exclusions.

  4. To edit an exclusion:

    • Select the exclusion and click .

    • Right-click the row and click Edit.

      To a change Single-method exclusion to Multi-method exclusion, click Edit in multi-value wizard at the bottom of the wizard.

      Refer to Adding Exclusions to a Specific Rule to edit the exclusion.

  5. To delete exclusions:

    • Select the exclusions and click .

    • Click the row and at the end of the row, click .

    • Select the exclusions, right-click and click Delete.

  6. To duplicate exclusions:

    • Select the exclusion and click .

    • Click the row and at the end of the row, click .

    • Select the exclusion, right-click and click Duplicate.

  7. To enable or disable the exclusion, toggle the button in the Status column.

  8. To edit Name, Capabilities and Comment:

    1. Click the row.

    2. At the end of the row, click .

    3. Edit the details.

    4. Click .

  9. For a specific rule, click OK and Save & Install.

  10. For global exclusions, click Save.

    The exclusions are automatically enforced on the client without installing the policy.