Adding Exclusions to Rules

  1. Go to the applicable policy ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., for which you want to create the exclusion.

  2. In the Capabilities & Exclusions pane, click Exclusions Center.

    The Exclusions Center window opens.

  3. Add the required type of exclusion.

  4. Click OK.

  5. In the bottom right corner of the policy configuration pane, click Save.

  6. From the top, click Install Policy.

Notes -

  • You can also add exclusions from the Logs menu:

    • In the Logs menu, right-click a log to add and configure an exclusion to your endpoint device. This redirects you to the appropriate rule, section, and capability.

    • Apply the exclusions through:

      • Effective option: Pertains to a specific device or a user rule.

      • All options: Pertains to a specific rule.

  • This is supported with Harmony Endpoint client version 86.20 or higher.

  • For Harmony Endpoint client version 86.20 or lower, or for blades/capabilities which are not supported, the system redirects you to the relevant rule in the exclusions center to create exclusions.

Below is the list of supported exclusions.

Web and Files Protection Exclusions

By default, the Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. component inspects all entities except:

  • Process - Name of an executable

  • URL - Website URL

  • Domain - Full Domain name

  • Protection Name - Predefined malware signature

  • IP range - Internal or external IP address

Harmony Endpoint scans files when you create, open, or close them.

When you exclude a trusted process from inspection, it's file or network operation is not scanned. Exclude a process only if you are sure, it is not Malware.

Best Practice - We recommend excluding a process if:

Windows

You can exclude only .EXE files.

Syntax:

Fully qualified paths or an environment variable for the trusted executable.

Examples:

  • C:\Program Files\MyTrustedDirectory\MyTrustedProgram.exe

  • %programdata%\MytrustedProgram.exe

macOS

Syntax:

Fully qualified path for the trusted executable file.

Example:

/Applications/FileZilla.app/Contents/MacOS/filezilla

Files and Folder Exclusions are applied to all types of scans except contextual scan. The reason for configuring exclusions is to reduce the CPU usage of Anti-Malware.

Note - Files and folders must be excluded only if they are located in a Trusted zone or are considered a low-risk target for viruses.

Windows

Syntax:

Directory paths must end with a backlash.

Examples:

  • Directory:

    • C:\Program Files\MyTrustedDirectory\

    • %programdata%\MyTrustedDirectory\

  • Specific file:

    • C:\ProgramFiles\MyTrustedDirectory\excludeMe.txt

    • %programdata%\MyTrustedDirectory\excludeMe.txt

  • File type:

    • *.exe

    • \\ServerName\Share\folder\file.txt or \\ip_addres\Share\folder\file.txt depending on a way file is attached.

    • C:\Program Files\MyTrustedDirectory**.exe(recursive exclusion - applies for all .exe in C:\Program Files\MyTrustedDirectory\ and all subfolders)

  • For Harmony Endpoint client version E80.80 or higher, you can exclude MD5 hash from the scheduled malware scan. For example:

    • md5:0123456789012345

      • Exclude by hash in any folder

    • md5:0123456789012345:app.exe

      • Exclude by hash and exact file name

    • md5:0123456789012345:c:\folder\app.exe

      • Exclude by hash and full path

    • md5:0123456789012345:%ENV%\app.exe

      • Exclude by hash and environment variable

  • For Harmony Endpoint client version E86.10 or higher, you can exclude URL from the scheduled malware scan. For example:

    • url:*.example.com

    • url:http://*.example.com

    • url:http://example.com/*

    • url:www.example.com/abc/123

    • url:*192.168.*

    • url:http://192.168.*

Notes for URL exclusions-

  • The * character replaces any sequence that contains zero or more characters.

  • The www. character sequence at the beginning of an exclusion mask is interpreted as a *. sequence.

  • If an exclusion mask does not start with the * character, the content of the exclusion mask is equivalent to the same content with the *. prefix.

  • If an exclusion mask ends with a character other than / or *, the content of the exclusion mask is equivalent to the same content with the /* postfix.

  • If an exclusion mask ends with the / character, the content of the exclusion mask is equivalent to the same content with the /*. postfix.

  • The character sequence /* at the end of an exclusion mask is interpreted as /* or an empty string.

  • URLs are verified against an exclusion mask, taking into account the protocol (http or https).

Note - For Windows, files and folder names are not case-sensitive.

macOS

Syntax:

Directory path, a specific file, or a file type. Environment variables are not supported.

Example:

Trusted directory

  • /Users/Shared/MyTrustedDirectory/

Specific file

  • /Users/*/Documents/excludeMe.txt

File type

  • *.txt

Note - For macOS, files and folder names are case-sensitive.

 

You can exclude some riskware files and infections from the scheduled malware scan on your computer.

Best Practice:

  • Exclude when the specific software is allowed.

  • As a temporary exclusion when there is a false positive detection.

Syntax

Infection name and protection name in your log.

Example:

  • EICAR-Test-File

Notes -

  • The infection name is case-sensitive.

  • If you get a file protection detection, share the file with Check Point to resolve the file protection.

You can exclude specific folders, domains or SHA1 hashes from the Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE., Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. and Zero-Phishing protection.

Domain exclusions

  • Relevant only for Harmony Endpoint extension for Browsers.

  • To exclude an IP, in the Element field, enter IP address followed by subnet mask in the format <X.X.X.X>/ <subnet mask >. For example, to exclude a computer with IP address 192.168.100.30, enter 192.168.100.30/24.

  • Domain exclusions must be added without http/s, *, or any other special characters.

    Domain exclusions can be added with or without www.

  • Sub-domain exclusions are supported.

    Exclusion of a domain will exclude all its subdomains as well.

For example:

If you enter the domain

It excludes these domains

It does not exclude these domains
www.domain.com

  • https://www.domain.com

  • http://www.domain.com

  • https://domain.com

  • http://domain.com

  • https://sub.domain.com

  • http://sub.domain.com

domain.com

  • https://www.domain.com

  • http://www.domain.com

  • https://domain.com

  • http://domain.com

  • https://sub.domain.com

  • http://sub.domain.com

-
sub.domain.com

  • https://sub.domain.com

  • http://sub.domain.com

https://sub2.domain.com

SHA1 exclusions -

  • Relevant only for Threat Emulation blade (File system monitoring).

    For Harmony Endpoint version E86.40, SHA1 exclusion is supported on Harmony Endpoint extension for browsers as well (not including Internet Explorer). SHA1 can be used to exclude downloaded files from File Protection.

  • It is not supported with Internet Explorer.

  • File Reputation exclusions are set by SHA1.

Folder exclusions -

  • Relevant only for Threat Emulation blade (File system monitoring).

  • Folder path cannot contain environment variables.

  • When you exclude a folder, enter the folder as a windows path. For example:

    C:\Program Files\MyTrustedDirectory\

  • If the path of created file begins with exclusion, it will be excluded.

  • Folder exclusions support wildcards. These wildcards are supported:

    ? - Each question mark masks one character.

    * - Each star masks zero or more characters.

  • It is not advised to add * in the middle of path exclusions, as it may hurt the performance.

  • Exclude network files by path \\ServerName\Share\folder\.This excludes all files located under \ServerName\Share\folder\\.

Behavioral Protections

You can exclude these elements from the Anti-Exploit protection:

  • Protection Name - Predefined malware signature

  • Process - To exclude an executable

Currently there are five different Anti-Exploit protections available. Following is a list of the protections per-name.

Syntax for exclusions:

Protection

Protection Rule Name

Import-Export Address Table Parsing

Gen.Exploiter.IET

Return Oriented Programming

Gen.Exploiter.ROP

VB Script God Mode

Gen.Exploiter.VBS

Stack Pivoting

Gen.Exploiter.SP

RDP Vulnerability (CVE-2019-0708)

Gen.Exploiter.CVE_2019_0708

RCE Vulnerability (CVE-2019-1181)

Gen.Exploiter.CVE_2019_1181/2

Excluding a protection means that files will not be monitored by Anti-Exploit.

  • Process and protection

    • C:\Program Files\MyTrustedDirectory\excludeMe.exe

    • Gen.Exploiter.ROP

  • Protection

    • Gen.Exploiter.ROP

Exclusions

You can exclude these elements from the Anti-Ransomware and Behavioral Guard protection:

  • Folder – To exclude a folder or non-executable files

  • Process - To exclude an executable by element, MD5, and signer.

  • Certificate - To exclude processes based on the company that signs the certificate.

  • Protection - To exclude signature by it's name.

Notes:

  • Excluded process will be monitored but not triggered.

  • Excluded protection will not be triggered.

Syntax:

  • Folder can contain environment variables

  • Folder cannot contain wildcards (*)

  • By default, sub-folders are included.

Excluding a Certificate / Process means that files modified / created by a certain process will not be backed up, or monitored by Anti-Ransomware and Behavioral Guard.

Windows

Syntax:

  • You must specify name or full path

  • Full path can contain environment variables

  • Path or file name cannot contain wildcards

Examples:

  • Full path

    • C:\Program Files\MyTrustedDirectory\

  • Process

    • C:\Program Files\MyTrustedDirectory\ExcludeMe.exe

  • Certificate

    • Microsoft

  • md5: 0123456789012345

  • Protection: win.blocker

macOS

Syntax:

  • You must specify full path or wildcard

  • Path or file name can contain wildcards

  • Paths are case sensitive

Examples:

  • Full path or Xcode exclusion:
    :/Applications/Xcode.app/Contents?MacOS/Xcode

  • To cover all Xcode-related executables (not only GUI app):
    /Applications/Xcode.app/*

Excluding a Certificate / Process means that files modified / created by a certain process will not be backed up, or monitored by Anti-Ransomware and Behavioral Guard.

Analysis & Response Exclusions

You can exclude these elements from monitoring:

  • Process - To exclude an executable by element, MD5 and signer.

  • Certificate - To exclude processes based on the company that signs the certificate.

Syntax:

  • Process can be excluded by name only, or by full path.

    For example C:\Program Files\MyTrustedDirectory\excludeMe.exe

  • Full path can contain environment variables.

  • Full path CANNOT contain wildcards

  • Certificate

    • Microsoft

  • md5:0123456789012345

    • Exclude a process by hash.

  • Excluding a Certificate / Process means thBAat files modified / created by a certain process will not be backed up, or monitored by Anti-Ransomware and Behavioral Guard.

Excluding a file / folder / certificate from quarantine means that even if it is detected by one of the following blades: Threat Emulation / Anti-Ransomware / Anti-Bot, the file will not be quarantined:

  • Full path can contain wildcards (*).

  • Full path CANNOT contain environment variables.

You can exclude a file or process from quarantine. You can define the exclusion by these criteria: certificate, file, folder, MD5 hash, SHA1 hash, and file extension. When an element is excluded from quarantine, even if there is a detection of malware, the file is not quarantined.