Monitoring and Exclusions

Define which processes are monitored by the Forensics component.

In the default monitoring settings, processes with certificates from some trusted companies are excluded.

You can Add, Edit, and Remove exclusions from the list.

To exclude a process from monitoring:

1. From a SandBlast Agent Forensics and Anti-Ransomware rule in the Policy, right-click the Monitoring and Exclusions action and select Edit Shared Action.
2. Click Add exclusion.
3. In the window that opens select:
   • Process - To exclude an executable. You can also include Certificate information.
     • In Process name, enter the name of the executable.
     • Optional: Enter more information in the fields shown Signer is the company that signs the certificate. The more information you enter, the more specified the exclusion will be.
   • Certificate - To exclude processes based on the company that signs the certificate, for example, Google.
     • In Certificate Data, enter a name of company that signs certificates, or browse to add a certificate file.
4. Click OK.
5. The exclusion is added to the Exclusions list.