I added an app to exclusions, but it is still flagged and blocked
Overview:
It is possible that an exclusion was set only locally on a device after an option in a pop up windows was selected.
There is a difference between application rules and exclusions. Applications rules are only set locally on the device and are not added to Monitoring exclusions in a Workspace. Monitoring exclusions can be assigned to an entire Workspace.
Application rules:
Behavior Blocker creates application rules based on feedback from the Anti-Malware Network lookups and/or user confirmation on a Behavior Blocker detections.
So, Emsisoft adds a local application rule for app: abc.exe when you allow it/disallow it.
Behavior Blocker removes application rules when the concerned app is either removed/upgraded/uninstalled.
Application rules are entered only in the local Emsisoft app and are not supported/moved over to the Workspace Policies. They are only locally maintained on the endpoint itself.
Example for notification on device:
Behavior Blocker notifications have 2 options:
‘Wait, I think this is safe’
or
‘OK’
The 1st one adds a local ‘Always allow’ app rule.
The 2nd one adds a local ‘Always block’ app rule
But:
Local app rules are based on file hashes only, that means that after each program update, the app rules are rendered invalid. Same if the app was removed/uninstalled and then reinstalled.
Monitoring exclusions are filename or folder based exclusions and don’t have this issue. So it’s recommended to use Monitoring Exclusions.