Configure TDR Exclusions

If there are files or processes that you want the Host Sensor to ignore, you can add an exclusion to manually identify paths for files and processes that you do not want Host Sensors to monitor. Host Sensors do not send events to Threat Detection and Response (TDR) for files and process on the Exclusion list.

It is important to understand the difference between the Whitelist and the Exclusion list.

Whitelist

The Whitelist identifies specific files and processes you consider safe. For changes to a file or process on the Whitelist, the Host Sensor sends the event to TDR. ThreatSync heuristics do not include changes to files on the Whitelist as incidents or indicators. ThreatSync assigns events on the Whitelist a score of 0.

You add a file or process to the Whitelist as a signature override. For more information, see Configure TDR Signature Overrides

Exclusion list

An exclusion identifies a path that you want all Host Sensors to ignore for file and process events. When you add an exclusion, Host Sensors ignore any file-created or process-created events that originate from the specified directory. You can also include all subdirectories in the exclusion.

Add an Exclusion

To manually add an exclusion:

  1. Log in to the TDR web UI as a user with Operator credentials.
  2. Select Configure > Exclusion.
  3. Click Add Exclusion.
    The Add Exclusion dialog box appears.

Screen shot of the Add Exclusion dialog box

  1. In the Path text box, type the path to exclude.
    You can include wildcards and environment variables in the exclusion path.
  2. To exclude folders in the specified directory, select the Also exclude subfolders check box.
  3. Select whether to exclude Files and Processes, Files only, or Processes only.
  4. (Optional) In the Description text box, type a description for this exclusion.
  5. Click Save & Close.
    The exclusion is added to the Exclusion list.

Back Up or Import Exclusions

You can save a backup of all exclusions to an .XML file. To add the exclusions to any TDR account, you can import the saved .XML file. This enables a TDR Service Provider to easily copy exclusions configured in one managed customer account to another managed account. To avoid duplicate exclusions, the imported exclusions are merged with the existing list of exclusions.

To save the exclusions to a backup file:

  1. Select Configuration > Exclusion.
    The list of currently configured exclusions appears.
  2. Click Backup.
    The .XML backup file is saved to the downloads folder.

The name of the exclusions backup file includes the current date and time. For example: 

WatchGuardTDR_SensorExclusions_2017-01-25_22-39-43.xml

To import exclusions from a saved exclusions .XML file:

  1. Click Import.
  2. Select and open the saved backup file.
    A confirmation dialog box appears.
  3. Click Import.
    The exclusions from the file are added to the Exclusion list.

Edit or Remove an Exclusion

To edit an exclusion:

  1. In the Exclusion list, to the left of the exclusion to edit, click .
    The Edit Exclusion dialog box appears.
  2. Edit the settings as described in the previous procedure.
  3. Click Save & Close.

To remove an exclusion:

  1. In the Exclusion list, to the right of the exclusion to remove, click .
  2. Select Remove Exclusion.
    A confirmation message appears.
  3. Click Yes, Delete.

See Also

Host Sensors and AV Software Exclusions

Give Us Feedback     Get Support     All Product Documentation     Technical Search