I added an app to exclusions, but it is still flagged and blocked

  • February 8, 2024
  • min read

I added an app to exclusions, but it is still flagged and blocked

Overview:
It is possible that an exclusion was set only locally on a device after an option in a pop up windows was selected.
There is a difference between application rules and exclusions. Applications rules are only set locally on the device and are not added to Monitoring exclusions in a Workspace. Monitoring exclusions can be assigned to an entire Workspace.

Application rules:
Behavior Blocker creates application rules based on feedback from the Anti-Malware Network lookups and/or user confirmation on a Behavior Blocker detections.
So, Emsisoft adds a local application rule for app: abc.exe when you allow it/disallow it.
Behavior Blocker removes application rules when the concerned app is either removed/upgraded/uninstalled.
Application rules are entered only in the local Emsisoft app and are not supported/moved over to the Workspace Policies. They are only locally maintained on the endpoint itself.

Example for notification on device:
Behavior Blocker notifications have 2 options:
‘Wait, I think this is safe’
or
‘OK’

The 1st one adds a local ‘Always allow’ app rule.
The 2nd one adds a local ‘Always block’ app rule

But:
Local app rules are based on file hashes only, that means that after each program update, the app rules are rendered invalid. Same if the app was removed/uninstalled and then reinstalled.
Monitoring exclusions are filename or folder based exclusions and don’t have this issue. So it’s recommended to use Monitoring Exclusions.

 

No votes yet.
Please wait...

Similar topics