Configure TDR Exclusions

You can enable TDR exclusions for software or files that you want the TDR Host Sensor to ignore.

In some cases, the TDR Host Sensor might have conflicts with the antivirus (AV) software installed on your endpoints. To resolve this issue, you must add exclusions in the AV software and in TDR. TDR makes this easier with predefined exclusion lists for interoperability with popular third-party AV software.

If there are additional files or processes that you want the Host Sensor to ignore you can configure custom exclusions to identify paths for files and processes that you do not want Host Sensors to monitor.

Host Sensors do not send events to Threat Detection and Response (TDR) for files and processes on the Exclusion list.

Allowlist vs. Exclusion List

It is important to understand the difference between the Allowlist and the Exclusion list.


The Allowlist identifies specific files and processes you consider safe. For changes to a file or process on the Allowlist, the Host Sensor sends the event to TDR. ThreatSync heuristics do not include changes to files on the Allowlist as incidents or indicators. ThreatSync assigns events on the Allowlist a score of 0.

You add a file or process to the Allowlist as a signature override. For more information, see Configure TDR Signature Overrides.


An exclusion identifies a path that you want all Host Sensors to ignore for file and process events. When you add an exclusion, Host Sensors ignore any file-created or process-created events that originate from the specified directory. Exclusions also apply to baseline scans.

Manage Predefined AV Exclusions

TDR has predefined AV exclusion sets for the most common third-party AV tools. These exclusion sets include all of the recommended exclusions for the AV.

After you enable the AV exclusions in TDR, you must add the TDR exclusions to your AV software to prevent potential conflicts.

Configure Antivirus Software to Exclude the TDR Host Sensor

To avoid conflicts between TDR and your desktop antivirus software, you must also configure exclusions for TDR directories in your desktop AV software.

In the desktop antivirus software configuration, add the TDR Host Sensor installation directory to the exclusion list or allowlist.

The directories to exclude are:

c:\Program Files (x86)\WatchGuard\Threat Detection and Response\

c:\Program Files\WatchGuard\Threat Detection and Response\

See the documentation from your antivirus software vendor for instructions to edit the exclusions list or allowlist.

Manage Custom Exclusions

If there are other paths or processes you need to exclude, you can add a custom exclusion. WatchGuard has tested TDR with many popular products. WatchGuard integration guides describe how to configure TDR and other products to interoperate. Often, this involves adding a custom exclusion to TDR. For information about these integrations, see Threat Detection and Response Integration Guides.

When you add a custom exclusion: 

  • You can include a wildcard character in the path to exclude
  • You can select whether to include all subdirectories of the specified path

TDR does not support Windows system variables (%%) in exclusions and does not expand system variables in its exclusions for Windows, Mac, and Linux. For example, instead of adding %userprofile%\appdata\roaming\ to exclude your roaming profile, use the asterisk (*) wildcard character C:\Users*\appdata\roaming.

Example Custom Exclusions

Back Up or Import Custom Exclusions

You can save a backup of your custom exclusions to an .XML file. To add the exclusions to any TDR account, you can import the saved .XML file. This enables a TDR Service Provider to copy custom exclusions configured in one managed customer account to another managed account. To avoid duplicate exclusions, the imported exclusions are merged with the existing list of exclusions.

See Also

TDR Deployment Best Practices

Configure TDR Policies