Configure advanced exploit exceptions

Files that are not malicious can be falsely identified as malware if they share certain characteristics with malware. If a file is known to be benign and is identified as malware, you can create an exception for that file. When an exception is created, the file does not trigger an event when Deep Security scans the file.

For an overview of the anti-malware module, see About Anti-Malware.

You can also exclude files from real-time, manual, and scheduled scans. For more information, see Specify the files to scan.

Exceptions can be created for the following types of malware and malware scans:

You can also exclude files from Anti-Malware scanning if they are signed by a trusted certificate. This feature is supported with Deep Security Agent 20.0.0-3445+ on Windows. For details, see Exclude files signed by a trusted certificate.

Deep Security maintains a list of exceptions for each type of malware scan in policy and computer properties.

  1. To see the lists of exceptions, open the policy or computer editor.
  2. Click Anti-Malware > Advanced.
    The exceptions are listed in the Allowed Spyware/Grayware, Document Exploit Protection Rule Exceptions, Predictive Machine Learning Detection Exceptions, Behavior Monitoring Protection Exceptions, and Trusted Certificates Detection Exceptions sections.

See also Scan exclusion recommendations.

Create an exception from an anti-malware event

When a file is identified as malware, Deep Security generates an anti-malware event. If you know that the file is benign, you can create an exception for the file from the event report, as follows:

  1. Click Events & Reports > Events > Anti-Malware Events and locate the malware detection event.
  2. Right-click the event.
  3. Select Allow.

Manually create an anti-malware exception

You can manually create anti-malware exceptions for spyware or grayware, document exploit protection rules, predictive machine learning, and behavior monitoring exceptions. To add the exception, you need specific information from the anti-malware event that the scan generated. The type of malware or scan determines the information that you need:

  • Spyware or grayware: The value in the MALWARE field, for example SPY_CCFR_CPP_TEST.A
  • Document exploit protection rules: The value in the MALWARE field, for example HEUR_OLEP.EXE
  • Predictive machine learning: The SHA1 digest of the file from the FILE SHA-1 field, for example 3395856CE81F2B7382DEE72602F798B642F14140
  • Behavior monitoring: The process image path, for example C:\test.exe
  1. Click Events & Reports > Events > Anti-Malware Events and copy the field value that is required to identify the malware.
  2. Open the policy or computer editor where you want to create the exception.
  3. Click Anti-Malware > Advanced.
  4. In the Allowed Spyware/Grayware, Document Exploit Protection Rule Exceptions, Predictive Machine Learning Detection Exceptions, or Behavior Monitoring Protection Exceptions section, enter the information from the event in the text box.
  5. Click Add.

Exception List Wildcard Support

The Behavior Monitoring Protection Exceptions list supports the use of wildcard characters when defining file path, file name, and file extension exception types. Use the following table to properly format your exception lists to ensure that Deep Security excludes the correct files and folders from scanning.

Supported wildcard characters:

  • Asterisk (*): Represents any character or string of characters

Note that the Behavior Monitoring Protection Exceptions list does not support the use of wildcard characters to replace system drive designations or within Universal Naming Convention (UNC) addresses.

Exception Type Wildcard Usage Matched Not Matched
Directories

C:\*

Excludes all files and folders on the specified drive

  • C:\sample.exe
  • C:\folder\test.doc
  • D:\sample.exe
  • E:\folder\test.doc
Specific files under a specific folder level

C:\*\Sample.exe

Excludes the Sample.exe file only if the file is located in any subfolder of the C:\ directory

  • C:\files\Sample.exe
  • C:\temp\files\Sample.exe
  • C:\sample.exe
Universal Naming Convention (UNC) paths

\\<UNC path>\*\Sample.exe

Excludes the Sample.exe file only if the file is located in any subfolder of the specified UNC path

  • \\<UNC path>\files\Sample.exe
  • \\<UNC path>\temp\files\Sample.exe
  • R:\files\Sample.exe

    Reason: Mapped drives are not supported.

  • \\<UNC path>\Sample.exe

    Reason: The file does not exist within a subfolder of the UNC path.

File names and extensions

C:\*.*

Excludes all files with extensions in all folders and subfolders of the C:\ directory

  • C:\Sample.exe
  • C:\temp\Sample.exe
  • C:\test.doc
  • D:\sample.exe
  • C:\Sample

    Because C:\Sample does not have a file extension, it is not a match for the exception.

File names

C:\*.exe

Excludes all files with the .exe extension in all folders and subfolders of the C:\ directory

  • C:\Sample.exe
  • C:\temp\test.exe
  • C:\Sample.doc
  • C:\temp\test.bat
  • C:\Sample

    Because C:\Sample does not have a file extension, it is not a match for the exception.

File extensions

C:\Sample.*

Excludes all files with the name Sample and any extension in the C:\ directory

  • C:\Sample.exe
  • C:\Sample1.doc
  • C:\temp\Sample.bat
  • C:\Sample

    Because C:\Sample does not have a file extension, it is not a match for the exception.

Files in specific directory structures

C:\*\*\Sample.exe

Excludes all files located within the second subfolder level or any subsequent subfolders of the C:\ directory with the file name and extension Sample.exe

  • C:\files\temp\Sample.exe
  • C:\files\temp\test\Sample.exe
  • C:\Sample.exe
  • C:\temp\Sample.exe
  • C:\files\temp\Sample.doc

Exception strategies for spyware and grayware

When spyware is detected, the malware can be immediately cleaned, quarantined, or deleted, depending on the malware scan configuration that controls the scan. After you create the exception for a spyware or grayware event, you might have to restore the file. For more information, see Restore identified files .

Alternatively, you can temporarily scan for spyware and grayware with the action set to Pass so that all spyware and grayware detections are recorded on the Anti-Malware Events page but not cleaned, quarantined, or deleted. You can then create exceptions for the detected spyware and grayware. When your exception list is robust, you can set the action to Clean, Quarantine, or Delete modes.

For information about setting the action, see Configure malware handling.

Scan exclusion recommendations

The best and most comprehensive source for scan exclusions is from the software vendor. The following are some high-level scan exclusion recommendations:

  • Quarantine folders (such as SMEX on Microsoft Windows Exchange Server) should be excluded to avoid rescanning files that have already been confirmed to be malware.
  • Large databases and database files (for example, dsm.mdf and dsm.ldf) should be excluded because scanning could impact database performance. If it is necessary to scan database files, you can create a scheduled task to scan the database during off-peak hours. Since Microsoft SQL Server databases are dynamic, exclude the directory and backup folders from the scan list:
  • For Windows:

    ${ProgramFiles}\Microsoft SQL Server\MSSQL\Data\

    ${Windir}\WINNT\Cluster\ # if using SQL Clustering

    Q:\ # if using SQL Clustering

    For Linux:

    /var/lib/mysql/ # if path is set to this Data Location of MySQL in the machine.

    /mnt/volume-mysql/ # if path is set to this Data Location of MySQL in the machine.

For a list of recommended scan exclusions, see the Trend Micro recommended scan exclusion list. Microsoft also maintains an Anti-Virus Exclusion List that you can use as a reference for excluding files from scanning on Windows servers.

Exclude files signed by a trusted certificate

If you have signed applications and want to exclude all activities of those processes from real-time Anti-Malware scanning (including file scans, behavior monitoring, and predictive machine learning), you can add the digital certificate to your trusted certificate list in Deep Security Manager, as follows:

  1. In the policy or computer editor, go to Anti-Malware > Advanced.
  2. In the Trusted Certificates Detection Exemptions section, set Exclude files with trusted certificate to "Yes" or "Inherited (Yes)".
  3. Select Manage Certificate List.
  4. The Trusted Certificates window displays any certificates you have imported. Select Import From File to add another one for scan exclusions.
  5. Choose the certificate file and then select Next.
  6. Review the certificate summary that's displayed and set Trust this certificate for to Scan Exclusions. Select Next.
  7. The Summary page indicates whether the import was successful. Select Close.

This type of exclusion is supported with Deep Security Agent 20.0.0-3445+ on Windows.

The imported certificate appears in the Trusted Certificates list with the Purpose listed as Exception.

Deep Security checks the exemption list when a process starts. If a process is running before the exemption is configured, the process will not be added to the exemption list until it is restarted.