Contents

Configure TDR Exclusions

If there are files or processes that you want the Host Sensor to ignore, you can add an exclusion to manually identify paths for files and processes that you do not want Host Sensors to monitor. Host Sensors do not send events to Threat Detection and Response (TDR) for files and processes on the Exclusion list.

It is important to understand the difference between the Whitelist and the Exclusion list.

Whitelist

The Whitelist identifies specific files and processes you consider safe. For changes to a file or process on the Whitelist, the Host Sensor sends the event to TDR. ThreatSync heuristics do not include changes to files on the Whitelist as incidents or indicators. ThreatSync assigns events on the Whitelist a score of 0.

You add a file or process to the Whitelist as a signature override. For more information, see Configure TDR Signature Overrides

Exclusion list

An exclusion identifies a path that you want all Host Sensors to ignore for file and process events. When you add an exclusion, Host Sensors ignore any file-created or process-created events that originate from the specified directory. Exclusions also apply to baseline scans.

When you add an exclusion: 

  • You can include wildcards in the path to exclude
  • You can select whether to include all subdirectories of the specified path

Add an Exclusion

To manually add an exclusion:

  1. Log In to the TDR Web UI as an Administrator or Analyst.
  2. Select Configure > Exclusion.
  3. Click Add Exclusion.
    The Add Exclusion dialog box appears.

Screen shot of the Add Exclusion dialog box

  1. In the Path text box, type the path to exclude.
  2. To exclude folders in the specified directory, select the Also exclude subfolders check box.
  3. From the Entities to exclude drop-down list, select whether to exclude Files and Processes, Files only, or Processes only.
  4. (Optional) In the Description text box, type a description for this exclusion.
  5. Select the hosts and groups the exclusion applies to.
    1. In the Host Name or Host Group text box, type at least three characters from the name of the host or host group to add. Tip!To specify all hosts, type "All Hosts". This is a built-in default group that includes all hosts that have a Host Sensor installed.
      Host names and group names that include the characters appear.
    2. Select the host or group name to add.
    3. To add other hosts or groups, repeat the previous two steps.
  6. Click Save & Close.
    The exclusion is added to the Exclusion list.

Back Up or Import Exclusions

You can save a backup of all exclusions to an .XML file. To add the exclusions to any TDR account, you can import the saved .XML file. This enables a TDR Service Provider to easily copy exclusions configured in one managed customer account to another managed account. To avoid duplicate exclusions, the imported exclusions are merged with the existing list of exclusions.

To save the exclusions to a backup file:

  1. Select Configuration > Exclusion.
    The list of currently configured exclusions appears.
  2. Click Backup.
    The .XML backup file is saved to the downloads folder.

The name of the exclusions backup file includes the current date and time. For example: 

WatchGuardTDR_SensorExclusions_2017-01-25_22-39-43.xml

To import exclusions from a saved exclusions .XML file:

  1. Click Import.
  2. Select and open the saved backup file.
    A confirmation dialog box appears.
  3. Click Import.
    The exclusions from the file are added to the Exclusion list.

Edit or Remove an Exclusion

To edit an exclusion:

  1. In the Exclusion list, to the left of the exclusion to edit, click .
    The Edit Exclusion dialog box appears.
  2. Edit the settings as described in the previous procedure.
  3. Click Save & Close.

To remove an exclusion:

  1. In the Exclusion list, to the right of the exclusion to remove, click .
  2. Select Remove Exclusion.
    A confirmation message appears.
  3. Click Yes, Delete.

See Also

Host Sensors and AV Software Exclusions

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search