Topics on this page
Create Anti-Malware exceptions
Files that are not malicious can be falsely identified as malware if they share certain characteristics with malware. If a file is known to be benign and is identified as malware, you can create an exception for that file or the rule which detected the file. When an exception is created, Workload Security does not trigger an event for the excepted file or rule.
For an overview of the Anti-Malware module, see Protect against malware.
You can also exclude files from real-time, manual, and scheduled scans. See Specify the files to scan.
Exceptions can be created for the following types of malware and malware scans:
- Anti-Malware scans
- Predictive Machine Learning scans ( see Detect emerging threats using Predictive Machine Learning).
- Scans for spyware and grayware (see Scan for spyware and grayware).
- Behavior monitoring protection (see Enhanced Anti-Malware and ransomware scanning with behavior monitoring).
You can also exclude files from Anti-Malware scanning if they are signed by a trusted certificate. This feature is supported with version 20.0.0-3445 or later agents on Windows. For details, see Exclude files signed by a trusted certificate.
Workload Security maintains a list of exceptions for each type of malware scan in policy and computer properties. To see the lists of exceptions, open the Policy or Computer editor and click Anti-Malware > Advanced.
You can view and edit the following exception lists:
- Allowed Spyware/Grayware: Allow applications identified as Spyware or Grayware to remain on some systems. Use the Anti-Malware spyware detection events to add exceptions.
- Rule Exceptions: Create detection exceptions based on rule ID. Locate rule IDs by viewing events in Events & Reports. Rule exceptions apply to both Anti-Malware Scans and Behavior Monitoring.
- Behavior Monitoring Protection Exceptions: Exempt files from Behavior Monitoring Protection detection.
- Predictive Machine Learning Detection Exceptions: Exempt files based on their SHA1 hash.
- Trusted Certificates Detection Exceptions: Choose whether to except files with a trusted certificate from detections.
See also Scan exclusion recommendations.
Create an exception from an Anti-Malware event
When a file is identified as malware, Workload Security generates an Anti-Malware event. If you know that the file is benign, you can create an exception for the file from the event report:
- Click Events & Reports > Events > Anti-Malware Events and locate the malware detection event.
- Right-click the event.
- Select Allow.
Manually create an Anti-Malware exception
Creating more than 512 Anti-Malware exception entries will cause exceptions to stop working.
You can manually create Anti-Malware exceptions using the exception lists. To add an exception manually, you need specific information from the Anti-Malware event that the scan generated. The type of malware or scan determines the information that you need:
- Allowed Spyware/Grayware: The value in the MALWARE field, for example
SPY_CCFR_CPP_TEST.A. -
Rule Exceptions: The rule ID found in the Threat Information section of the Anti-Malware Event Viewer. For example,
RAN4685T.Rule IDs are case sensitive. Creating rule exceptions using rule ID for machine learning-related TRX malware (such as Ransom.Win32.TRX) or VSAPIX malware (such as Trojan.Win32.VSX.PE04C93) is not supported at this time.
-
Behavior Monitoring Protection Exceptions: The process image path, for example
C:\test.exe. - Predictive Machine Learning Detection Exceptions: The SHA1 digest of the file from the FILE SHA-1 field, for example
3395856CE81F2B7382DEE72602F798B642F14140.
To add an exception manually:
- Click Events & Reports > Events > Anti-Malware Events and copy the field value that is required to identify the malware.
- Open the policy or computer editor where you want to create the exception.
- Click Anti-Malware > Advanced.
- In the Allowed Spyware/Grayware, Rule Exceptions, Behavior Monitoring Protection Exceptions, or Predictive Machine Learning Detection Exceptions: section, enter the information from the event in the text box.
- Click Add.
- Click Save.
Exception List Wildcard Support
The Behavior Monitoring Protection Exceptions list supports the use of wildcard characters when defining file path, file name, and file extension exception types. Use the following table to properly format your exception lists to ensure that Workload Security excludes the correct files and folders from scanning.
Supported wildcard characters:
- Asterisk (*): Represents any character or string of characters
Note that the Behavior Monitoring Protection Exceptions list does not support the use of wildcard characters to replace system drive designations or within Universal Naming Convention (UNC) addresses.
| Exception Type | Wildcard Usage | Matched | Not Matched |
|---|---|---|---|
| Directories |
C:\* Excludes all files and folders on the specified drive |
|
|
| Specific files under a specific folder level |
C:\*\Sample.exe Excludes the |
|
|
| Universal Naming Convention (UNC) paths |
\\<UNC path>\*\Sample.exe Excludes the |
|
|
| File names and extensions |
C:\*.* Excludes all files with extensions in all folders and subfolders of the |
|
|
| File names |
C:\*.exe Excludes all files with the |
|
|
|
File extensions |
C:\Sample.* Excludes all files with the name |
|
|
| Files in specific directory structures |
C:\*\*\Sample.exe Excludes all files located within the second subfolder level or any subsequent subfolders of the |
|
|
Exception strategies for spyware and grayware
When spyware is detected, the malware can be immediately cleaned, quarantined, or deleted, depending on the malware scan configuration that controls the scan. After you create the exception for a spyware or grayware event, you might have to restore the file. See Restore identified files.
Alternatively, you can temporarily scan for spyware and grayware with the action set to Pass so that all spyware and grayware detections are recorded on the Anti-Malware Events page but not cleaned, quarantined, or deleted. You can then create exceptions for the detected spyware and grayware. When your exception list is robust, you can set the action to Clean, Quarantine, or Delete modes.
For information, see Configure how to handle malware.
Scan exclusion recommendations
The best and most comprehensive source for scan exclusions is from the software vendor. The following are some high-level scan exclusion recommendations:
- Quarantine folders (such as SMEX on Microsoft Windows Exchange Server) should be excluded to avoid rescanning files that have already been confirmed to be malware.
- Large databases and database files (for example,
dsm.mdfanddsm.ldf) should be excluded because scanning could impact database performance. If it is necessary to scan database files, you can create a scheduled task to scan the database during off-peak hours. Since Microsoft SQL Server databases are dynamic, exclude the directory and backup folders from the scan list:
For Windows:
${ProgramFiles}\Microsoft SQL Server\MSSQL\Data\
${Windir}\WINNT\Cluster\ # if using SQL Clustering
Q:\ # if using SQL Clustering
For Linux:
/var/lib/mysql/ # if path is set to this Data Location of MySQL in the machine.
/mnt/volume-mysql/ # if path is set to this Data Location of MySQL in the machine.
For a list of recommended scan exclusions, see the Recommended scan exclusion list for Trend Micro Endpoint products. Microsoft also maintains an Anti-Virus Exclusion List that you can use as a reference for excluding files from scanning on Windows servers.
Exclude files signed by a trusted certificate
If you have signed applications and want to exclude all activities of those processes from real-time Anti-Malware scanning (including file scans, behavior monitoring, and predictive machine learning), you can add the digital certificate to your trusted certificate list in Workload Security.
This type of exclusion is supported with the agent version 20.0.0-3549 or later on Windows.
- In the policy or computer editor, go to Anti-Malware > Advanced.
- In the Trusted Certificates Detection Exemptions section, set Exclude files with trusted certificate to Yes or Inherited (Yes).
- Select Manage Certificate List.
- The Trusted Certificates window displays any certificates you have imported. Select Import From File to add another one for scan exclusions.
- Choose the certificate file and then select Next.
- Review the certificate summary that's displayed and set Trust this certificate for to Scan Exclusions. Select Next.
- The Summary page indicates whether the import was successful. Select Close.
The imported certificate appears in the Trusted Certificates list with the Purpose listed as Exception.
Workload Security checks the exemption list when a process starts. If a process is running before the exemption is configured, the process are not added to the exemption list until it is restarted.