How to add a Monitoring Exclusion after our lab whitelisted the app?
How to add a Monitoring Exclusion after our lab whitelisted the app?
Overview:
If a quarantined app was submitted to our lab and subsequently whitelisted as explained here, it usually needs to be added to Monitoring Exclusions, especially if the app is not digitally signed.
If the app is not added, it will be flagged every time it is updated without the necessary certificate.
How to add an app to Monitoring Exclusions:
First, you need to identify the path where the file is located.
Please open Emsisoft and click on: Logs
Then double click the file you want to exclude:
Copy the path:
Next, log into my.emsisoft.com, open the Workspace, and click on Protection Policies.
Choose the desired protection group where you want to apply the Monitoring Exclusion.
It is best to apply exclusions at the root level which always has the name of the Workspace. All subgroups or child groups inherit the settings from the root level.
Further changes can be then made on subgroup levels or the device level.
Next, scroll down on the right to: Exclude from monitoring
Add the desired exclusion for the app by clicking on: Add programs and add the path that you previously copied from the log.
While you can exclude complete folders, this is not recommended for security reasons. Instead, we recommend only adding the affected file to the exclusions For example, instead of excluding:
C:\Program Files\Folder\
We recommend excluding:
C:\Program Files\Folder\abc.exe
The Exclusions section also allows you to view and edit the list of files, folders, and programs that should be exempt from scanning or monitoring.
An exclusion can be easily removed at any time by clicking the Trash can icon.
Best practices
We recommend creating and assigning a Personal Policy Template or Partner Policy Template if you are an Emsisoft Partner, to globally exclude the app from monitoring in the Workspace under Protection Policies for the Protection Policy group that the device shall be in.
Tips & Tricks
- Files cannot be excluded using filenames only. A path or environment variable needs to precede the filename. For example, c:\temp\xyz.exe or %temp%\xyz.exe
- Excluded folder names must always end with a backslash. For example, c:\temp\
- Excluded folder names automatically exclude sub folders. For example, c:\temp\ also excludes c:\temp\apps\
- While it is possible to exclude an app directly- *nameoffapp.exe* – this is not recommended as malware could potentially use the same name (this is something which has previously happened, and especially in the case of widely used apps.) Instead, we recommend using the complete folder path: C:\Program Files\Foldername\xxx.exe, for example, or the short version: .\Foldername\xxx.exe
Wildcards and environment variables
You may use Wildcards or environment variables.
When using wildcards:
? specifies one random character and * specifies a sequence of random characters.
Correct examples for Wildcards
Exclusion | What it excludes | Excludes subfolders |
c:\temp\* or c:\temp\ | Excludes all files in c:\temp\ | X |
%temp%\* or %temp%\ | Excludes all files in %temp% | X |
%temp%\apps\ | Excludes all files in %temp%\apps\ | X |
c:\temp\%USERNAME%\*.tmp | Excludes all .tmp files in c:\temp\%USERNAME%\ | X |
c:\temp\*.exe | Excludes all .exe files in c:\temp\ | X |
Environment variables
Open the Emsisoft app locally and click on: Settings
Click on Environment variables to open the Environment variables tester.
Click on a variable to see details of what will be excluded.
Variables as they are seen by the software service do not necessarily resolve to the same paths that you can see as a user. Most variables resolve to multiple paths because the software protects at the system level, across all user accounts.
The Environment variables tester is invaluable for verifying exactly what paths will be excluded if you use a particular variable. Simply select a variable placeholder from the scrollable list on the left and the corresponding paths will be displayed in the adjacent pane to the right.
The Copy selected button copies the placeholder to the clipboard, allowing you to then to quickly and easily paste it when creating an exclusion. Please note that a trailing slash must be added after the placeholder to indicate that it is a path, for example: %temp%\