Create anti-malware exceptions

Files that are not malicious can be falsely identified as malware if they share certain characteristics with malware. If a file is known to be benign and is identified as malware, you can create an exception for that file. When an exception is created, the file does not trigger an event when Deep Security scans the file.

For an overview of the anti-malware module, see Protect against malware.

You can also exclude files from real-time, manual, and scheduled scans. See Specify the files to scan.

Exceptions can be created for the following types of malware and malware scans:

Deep Security maintains a list of exceptions for each type of malware scan in policy and computer properties.

  1. To see the lists of exceptions, open the policy or computer editor.
  2. Click Anti-Malware > Advanced.
    The exceptions are listed in the Allowed Spyware/Grayware, Document Exploit Protection Rule Exceptions, Predictive Machine Learning Detection Exceptions, and Behavior Monitoring Protection Exceptions sections.

See also Scan exclusion recommendations.

Create an exception from an anti-malware event

When a file is identified as malware, Deep Security generates an anti-malware event. If you know that the file is benign, you can create an exception for the file from the event report.

  1. Click Events & Reports > Events > Anti-Malware Events and locate the malware detection event.
  2. Right-click the event.
  3. Select Allow.

Manually create an anti-malware exception

You can manually create anti-malware exceptions for spyware or grayware, document exploit protection rules, predictive machine learning, and behavior monitoring exceptions. To add the exception, you need specific information from the anti-malware event that the scan generated. The type of malware or scan determines the information that you need:

  • Spyware or grayware: The value in the “MALWARE” field, for example SPY_CCFR_CPP_TEST.A
  • Document exploit protection rules: The value in the “MALWARE” field, for example HEUR_OLEP.EXE
  • Predictive machine learning: The SHA1 digest of the file from the “FILE SHA-1” field, for example 3395856CE81F2B7382DEE72602F798B642F14140
  • Behavior monitoring: The process image path, for example C:\test.exe
  • The field values are case-sensitive. Copy the field value exactly as it appears in the event log.
  1. Click Events & Reports > Events > Anti-Malware Events and copy the field value that is required to identify the malware.
  2. Open the policy or computer editor where you want to create the exception.
  3. Click Anti-Malware > Advanced.
  4. In the Allowed Spyware/Grayware, Document Exploit Protection Rule Exceptions, Predictive Machine Learning Detection Exceptions, or Behavior Monitoring Protection Exceptions section, enter the information from the event in the text box.
  5. Click Add.

Exception strategies for spyware and grayware

When spyware is detected the malware can be immediately quarantined, depending on the malware scan configuration that controls the scan. After you create the exception for a spyware or grayware event, you might have to restore the quarantined file. (See Restore quarantined files.)

Alternatively, you can temporarily scan for spyware and grayware with the action set to "Pass" so that all spyware and grayware detections are recorded on the Anti-Malware Events page but neither quarantined nor deleted. You can then create exceptions for the detected spyware and grayware. When your exception list is robust, you can set the action to "Quarantine" or "Delete" modes.

For information about setting the action, see Configure how to handle malware.

Scan exclusion recommendations

The best and most comprehensive source for scan exclusions is from the software vendor. The following are some high-level scan exclusion recommendations:

  • Quarantine folders (such as SMEX on Microsoft Windows Exchange Server) should be excluded to avoid rescanning files that have already been confirmed to be malware.
  • Large databases and database files (for example, dsm.mdf and dsm.ldf) should be excluded because scanning could impact database performance. If it is necessary to scan database files, you can create a scheduled task to scan the database during off-peak hours. Since Microsoft SQL Server databases are dynamic, exclude the directory and backup folders from the scan list:

    ${ProgramFiles}\Microsoft SQL Server\MSSQL\Data\

    ${Windir}\WINNT\Cluster\ # if using SQL Clustering

    Q:\ # if using SQL Clustering

For a list of recommended scan exclusions, see the Trend Micro recommended scan exclusion list. Microsoft also maintains an Anti-Virus Exclusion List that you can use as a reference for excluding files from scanning on Windows servers.