Home » 
Applicable For Endpoint Central MSP 
 
 

Creating an exclusion list from Next-Gen Antivirus detection

Endpoint Central provides users with the ability to exclude specific files or folders from  detection to prevent false positive detections and improve the overall efficiency of the platform.

By excluding files or folders from detection, users can prevent legitimate file activity from triggering alerts and avoid unnecessary interruptions to their workflow. However, it is important to exercise caution when using this option and ensure that only authorized files and folders are excluded from detection to maintain the security of the system.

Here are the steps on how to exclude files or folders from detection by Next-Gen Antivirus.

In the event that an incident is labeled as a false positive during its initial detection, Endpoint Central automatically recognizes it as such during subsequent detections. However, to prevent future false positive detections and to exclude similar processes, the incident can be added to the Exclusion List.

ManageEngine antivirus

How to add false positive files to the Exclusion List?

Adding a false positive process to the Exclusion List should only be done if there is a high level of certainty that it is indeed a false positive. Otherwise, it could potentially compromise the security of the device.

To add false positives to the Exclusion List, please follow the steps below:

  • Navigate to the Settings section and select Exclusion from the left pane.
  • Click the Add Exclusion or Import Bulk Exclusion option.
  • Enter the details of the false positive executable.
  • Choose the engine type from which to exclude detection, or choose Select All to exclude detection by the Next-Gen Antivirus system.

You can exclude processes using any of the following techniques:

  • Signer Certificate: Narrow down exclusions using this method where executables signed by the same certificate thumbprint specified are excluded. To obtain the thumbprint of a leaf signer certificate, use programs such as sigcheck.exe -i. 

    Note: This method is case-insensitive, and the executable must have a valid signature.

    • Example: 8870483E0E833965A53F422494F1614F79286851

    ManageEngine antivirus

  • SHA-256 : Executables that match the SHA-256 hash value will be excluded. To retrieve the hash value of an executable, use tools like sigcheck.exe

    • Note: This is case-insensitive.

    Example: b07f4b15a93ee95a7679be7dd3bd4f1399f12a02e826911515de7cef54f7fd1d

    ManageEngine antivirus

  • Executable Path: This is a broad exclusion where any executable that falls under the path is considered.

    Note: This method is not recommended since ransomware may copy itself to this location and evade detection.

    Example: C:\Windows\system32\notepad.exe

    ManageEngine antivirus

  • GLOB (Global Level of Binary): Implement GLOB to exclude executables based on a specified path. Any executable falling under this path will be excluded. Ensure careful usage to maintain security and avoid potential evasion by threats.

    Example: C:\*\*\notepad.exe

    ManageEngine antivirus

Additionally, it is possible to exclude specific folders from detection by Endpoint Central. To exclude a folder from detection, follow these steps:

  • In the Settings section, click the Exclusions option.
  • Choose the Folders tab and add the folder name you wish to exclude. Each folder name must be provided separately under authorized folders.