Working with exclusions in your Datto AV policy

Introduction

This document provides guidance on how to correctly define and set exclusions for Datto AV. It will help you ensure that the exclusions are set correctly and validated before being transferred to the engine.

Types of exclusions

There are three types of exclusions that can be defined in Datto AV: file, folder, and process exclusions.

The purpose of file and folder exclusions are to prevent the engine from flagging authorized software as unwanted or malicious. A file exclusion works by preventing the engine from scanning the specified file. A folder exclusion prevents the engine from scanning any file in the specified folder structure.

Process exclusions help minimize software conflicts and improve performance for applications that access file systems extensively. A process exclusion will tell the engine to ignore the file system activity of a process.

Defining exclusions

Requirements

• Folder exclusion: Requires a trailing backslash and applies recursively to subfolders.
  Format examples:
  • C:\folder1\
  • \\folder4\folder5\
    
• File exclusion: Must not end with a trailing backslash, otherwise, it will be considered as a folder exclusion.
  Format examples:
  • C:\folder2\file.exe
  • \\folder8\folder9\file2.exe
    
• Process exclusion: Requires the full image path, not just a process name.
  Format examples:
  • C:\folder1\process.exe
  • \\folder5\folder6\process2.exe

Case-sensitive paths are preferred but not required for local paths.

Wildcards

• * is supported as a dynamic substitution in folders, file extensions, and filenames.
• Wildcards are not supported for designating ANY drives. For example, *:\Program Files must be entered as C:\Program Files.
• Wildcards in folders only exclude at a single level and will not recurse (for example, C:\Users\*\file.exe won’t match C:\Users\Chris\Desktop\file.exe).
• Wildcards are not supported for network paths.
• A race condition can occur for newly written files, for example, temp files, using unknown casing resulting an unwanted quarantine action. If this occurs, add the newly observed path variation to exclusions and restore the file.

Network path considerations

• Events on network drives: These are always reported via the UNC path. Specifying mapped drive letters will have not have an affect.
• Case sensitive: Network path exclusions are always case sensitive.
• No wildcards: Wildcards are not supported in network paths. The exclusion must be the full UNC file or folder path.

Correctly defined exclusion examples

Below are examples of correctly defined exclusions.

File exclusion examples

C:\Program Files (x86)\iprobusinesssystems\upsrate.exe

C:\ProgramData\iprobusinesssystems\*.exe

C:\ProgramData\iprobusinesssystems\rgb*.exe

C:\Users\*\Downloads\file.exe

\\servername\share2\file.exe

Folder exclusion examples

C:\Program Files (x86)\iprobusinesssystems\

C:\Users\*\Documents\GitHub\

C:\Users\*\appData\Local\CentraStage\4.*\scripts\

\\servername\share2\folder2\

Process exclusion examples

C:\Progress\OpenEdge\bin\prowin.exe

C:\Progress\OpenEdge\bin\mprosrv.exe

Incorrectly defined exclusion examples

Below are examples of incorrectly defined exclusions that won't work as expected.

*\folder1\download.exe

\\folder2\*\folder3\file.exe

%DRIVELETTER%\folder1\file1\

C:\folder4\process.*

Additional considerations

Additional requirements

• All links, for example, symbolic links, must be resolved upfront.
• Environment variables in path elements are not supported.
• Using Prefix \\?\: This changes the exclusion to a literal case sensitive path with no wildcard expansion. You may see this prefix in the alert telemetry or on the local AV configuration file. The AV engine will automatically prepend these characters when adding the exclusion to a local file. You don't need to enter these characters unless you want to enter the exclusion as a literal path as noted above.

Wildcards and path sensitivity

• Wildcards and case insensitivity are both achieved through dynamic path expansion. This means matching files/folders and alternative casings are resolved on disk and added to exclusions as they are found on each endpoint.
  
  For example, c:\users\*\file.exe can result in the exclusions C:\Users\JohnD\file.exe and C:\Users\ChrisG\FILE.EXE being added on that specific endpoint.

• A Datto AV alert will report the observed casing in the field originalPath.

Performance

• Too many exclusion entries can lead to reduced performance. Consider a nested approach (folder exclusions) where applicable.
• Where possible, we recommend using a folder exclusion over a wildcard as folder exclusions are more effective and reliable than exclusions with wildcards.
• Server Performance: AV-related system performance issues on servers are often caused by excessive rescanning of frequently accessed and changed files. This condition is resolved by applying the appropriate process and file/folder exclusions to the real-time protection policy. Specific exclusion lists should be provided by that software vendor.

Universal AV Exclusion

With Universal AV Exclusion, you can create file, folder, and process exclusions in a single list that can be inherited by any Datto Antivirus policy. This makes managing your Datto AV exclusions easier.

Universal AV Exclusion is accessed on the Policies page. You create the exclusion list via the Create Exclusion button.

The list can be inherited by any Datto AV policy by enabling Include Universal AV Exclusion within the desired AV policy.

How to...