Creating an exclusion list from Next-Gen Antivirus detection

Endpoint Central provides users with the ability to exclude specific files or folders from detection to prevent false positive detections and improve the overall efficiency of the platform.

By excluding files or folders from detection, users can prevent legitimate file activity from triggering alerts and avoid unnecessary interruptions to their workflow. However, it is important to exercise caution when using this option and ensure that only authorized files and folders are excluded from detection to maintain the security of the system.

Here are the steps on how to exclude files or folders from detection by Next-Gen Antivirus.

In the event that an incident is labeled as a false positive during its initial detection, Endpoint Central automatically recognizes it as such during subsequent detections. However, to prevent future false positive detections and to exclude similar processes, the incident can be added to the Exclusion List.

How to add false positive files to the Exclusion List?

Adding a false positive process to the Exclusion List should only be done if there is a high level of certainty that it is indeed a false positive. Otherwise, it could potentially compromise the security of the device.

To add false positives to the Exclusion List, please follow the steps below:

1. Open Endpoint Central console and navigate to Malware Protection -> Settings -> Exclusion.
2. Click the Add Exclusion or Import Bulk Exclusion option.
3. Enter the details of the false positive executable.
4. Choose the engine type from which to exclude detection, or choose Select All to exclude detection by the Next-Gen Antivirus system.

You can exclude processes using any of the following techniques:

1. Signer Certificate: Narrow down exclusions using this method where executables signed by the same certificate thumbprint specified are excluded. To obtain the thumbprint of a leaf signer certificate, use programs such as sigcheck.exe -i. 

   Note: This method is case-insensitive, and the executable must have a valid signature.

Example: 8870483E0E833965A53F422494F1614F79286851



2. SHA-256 : Executables that match the SHA-256 hash value will be excluded. To retrieve the hash value of an executable, use tools like sigcheck.exe

Note: This is case-insensitive.

Example: b07f4b15a93ee95a7679be7dd3bd4f1399f12a02e826911515de7cef54f7fd1d



3. Executable Path: This is a broad exclusion where any executable that falls under the path is considered.

   Note: This method is not recommended since ransomware may copy itself to this location and evade detection.

   Example: C:\Windows\system32\notepad.exe

   

4. GLOB (Global Level of Binary): Implement GLOB to exclude executables based on a specified path. Any executable falling under this path will be excluded. Ensure careful usage to maintain security and avoid potential evasion by threats.

   Example: C:\*\*\notepad.exe

   

While adding an exclusion from the detection source Behavior Detection Engine, the Behavior Type, an alert rule for precise behavior detection, is to be selected. Follow the steps below to identify the behavior type:

1. Open Endpoint Central console and navigate to Malware Protection -> Incidents.
2. Click on the incident detected by the Behavior Detection Engine and go to the Alerts tab.
3. The Behavior Type will be mentioned with the alert.
   

   

4. The Behavior type(s) given can be chosen while marking it as a false positive and adding the incident as an exclusion.

Excluding Folders from detection

Additionally, it is possible to exclude specific folders from detection by the Ransomware Detection Engine in Endpoint Central. To exclude a folder from detection, follow these steps:

1. Refer the steps given above to create an Exclusion policy.
2. Give a name for the Exclusion policy and choose the detection source as Ransomware Detection Engine.
3. Give the details of the exclusion.
4. Choose the Allowed Folder(s) tab and add the folder name you wish to exclude. Each folder name must be provided separately under authorized folders. This can also be provided through the Incidents tab while marking an incident as False Positive and adding it as an exclusion.