Configure TDR Exclusions

You can enable TDR exclusions for software or files that you want the TDR Host Sensor to ignore.

In some cases, the TDR Host Sensor might have conflicts with the antivirus (AV) software installed on your endpoints. To resolve this issue, you must add exclusions in the AV software and in TDR. TDR makes this easier with predefined exclusion lists for interoperability with popular third-party AV software.

If there are additional files or processes that you want the Host Sensor to ignore you can configure custom exclusions to identify paths for files and processes that you do not want Host Sensors to monitor.

Host Sensors do not send events to Threat Detection and Response (TDR) for files and processes on the Exclusion list.

Allowlist vs. Exclusion List

It is important to understand the difference between the Allowlist and the Exclusion list.

Allowlist

The Allowlist identifies specific files and processes you consider safe. For changes to a file or process on the Allowlist, the Host Sensor sends the event to TDR. ThreatSync heuristics do not include changes to files on the Allowlist as incidents or indicators. ThreatSync assigns events on the Allowlist a score of 0.

You add a file or process to the Allowlist as a signature override. For more information, see Configure TDR Signature Overrides.

Exclusion

An exclusion identifies a path that you want all Host Sensors to ignore for file and process events. When you add an exclusion, Host Sensors ignore any file-created or process-created events that originate from the specified directory. Exclusions also apply to baseline scans.

Manage Predefined AV Exclusions

TDR has predefined AV exclusion sets for the most common third-party AV tools. These exclusion sets include all of the recommended exclusions for the AV.

After you enable the AV exclusions in TDR, you must add the TDR exclusions to your AV software to prevent potential conflicts.

To add a predefined AV exclusion:

  1. Log In to TDR.
  2. Select Configure > Threat Detection.
  3. In the Host Sensor section, select Exclusions.
    The Exclusion page opens with the Custom tab selected.
  4. Select the AV tab.
    The Exclusion page with the list of predefined AV exclusion sets opens.
  5. To enable an AV exclusion set, select the Enabled check box for the AV software.
    This applies the exclusions to all Hosts and Host Groups.
  6. To apply the AV exclusion set to specific Hosts or Host Groups, click the arrow for the AV software. In the Hosts/Groups text box, type the name of the Host or Host Group then select the appropriate name from the drop-down list.
  7. Click Save & Close.

To view the excluded paths and processes:

  1. Log In to TDR.
  2. Select Configure > Threat Detection
  3. In the Host Sensor section, select Exclusions.
    The Exclusion page opens with the Custom tab selected.
  4. Select the AV tab.
    The Exclusion page with the list of AVs opens.
  5. Select the arrow for the AV software.
    The AV dialog box opens with the exclusions at the bottom.

You can filter the exclusions by path, whether they exclude subfolders, which entities are excluded, or description. You cannot edit the exclusion set. If you need to customize the exclusions, you must do it manually.

To view a list of all exclusions applied to hosts and groups:

  1. Log In to TDR.
  2. Select Configure > Threat Detection.
  3. In the Host Sensor section, select Exclusions.
    The Exclusion page opens with the Custom tab selected.
  4. Select the Applied tab.
    The Applied page opens with the Host tab selected.
  5. Select the arrow next to the host you want to view.
    The Host dialog box opens.
  6. To view a list of all exclusions by group, select the Group tab.
  7. Select the arrow next to the group you want to view.
    The Group dialog box opens.

Configure Antivirus Software to Exclude the TDR Host Sensor

To avoid conflicts between TDR and your desktop antivirus software, you must also configure exclusions for TDR directories in your desktop AV software.

In the desktop antivirus software configuration, add the TDR Host Sensor installation directory to the exclusion list or allowlist.

The directories to exclude are:

c:\Program Files (x86)\WatchGuard\Threat Detection and Response\

c:\Program Files\WatchGuard\Threat Detection and Response\

See the documentation from your antivirus software vendor for instructions to edit the exclusions list or allowlist.

Manage Custom Exclusions

If there are other paths or processes you need to exclude, you can add a custom exclusion. WatchGuard has tested TDR with many popular products. WatchGuard integration guides describe how to configure TDR and other products to interoperate. Often, this involves adding a custom exclusion to TDR. For information about these integrations, see Threat Detection and Response Integration Guides.

When you add a custom exclusion: 

  • You can include a wildcard character in the path to exclude
  • You can select whether to include all subdirectories of the specified path

TDR does not support Windows system variables (%%) in exclusions and does not expand system variables in its exclusions for Windows, Mac, and Linux. For example, instead of adding %userprofile%\appdata\roaming\ to exclude your roaming profile, use the asterisk (*) wildcard character C:\Users*\appdata\roaming.

Example Custom Exclusions

To manually add an exclusion:

  1. Log In to TDR.
  2. Select Configure > Threat Detection.
  3. In the Host Sensor section, select Exclusions.
    The Exclusion page opens with the Custom tab selected.
  4. Click + Add Exclusion.
    The Add Exclusion dialog box opens.

Screen shot of the Add Exclusion dialog box

  1. In the Path text box, type the path to exclude.
  2. To exclude folders in the specified directory, select the Also exclude subfolders check box.
  3. From the Entities to exclude drop-down list, select whether to exclude Files and Processes, Files only, or Processes only.
  4. (Optional) In the Description text box, type a description for this exclusion.
  5. Select the hosts and groups the exclusion applies to.
    1. In the Host Name or Host Group text box, type at least three characters from the name of the host or host group to add. Tip!
      Host names and group names that include the characters appear.
    2. Select the host or group name to add.
    3. To add other hosts or groups, repeat the previous two steps.
  6. Click Save & Close.
    The exclusion is added to the Exclusion list.

To edit a custom exclusion:

  1. Log In to TDR.
  2. Select Configure > Threat Detection.
  3. In the Host Sensor section, select Exclusions.
    The Exclusion page opens with the Custom tab selected.
  4. In the Exclusion list, to the left of the exclusion to edit, click .
    The Edit Exclusion dialog box opens.
  5. Edit the settings as described in the previous procedure.
  6. Click Save & Close.

To remove a custom exclusion:

  1. Log In to TDR.
  2. Select Configure > Threat Detection.
  3. In the Host Sensor section, select Exclusions.
    The Exclusion page opens with the Custom tab selected.
  4. In the Exclusion list, to the right of the exclusion to remove, click .
  5. Select Remove Exclusion.
    A confirmation message appears.
  6. Click Yes, Delete.

Back Up or Import Custom Exclusions

You can save a backup of your custom exclusions to an .XML file. To add the exclusions to any TDR account, you can import the saved .XML file. This enables a TDR Service Provider to copy custom exclusions configured in one managed customer account to another managed account. To avoid duplicate exclusions, the imported exclusions are merged with the existing list of exclusions.

To save the custom exclusions to a backup:

  1. Select Configure > Threat Detection.
  2. In the Host Sensor section, select Exclusions.
    The Exclusion page opens with the Custom tab selected.
  3. Click Backup.
    The .XML backup file is saved to the downloads folder.

The name of the exclusions backup file includes the current date and time. For example: 

WatchGuardTDR_SensorExclusions_2017-01-25_22-39-43.xml

To import custom exclusions from a saved exclusions .XML file:

  1. Click Import.
  2. Select and open the saved backup file.
    A confirmation dialog box opens.
  3. Click Import.
    The exclusions from the file are added to the Exclusion list.

See Also

TDR Deployment Best Practices

Configure TDR Policies