Working with exclusions in your Datto AV policy
Introduction
This document provides guidance on how to correctly define and set exclusions for Datto AV. It will help you ensure that the exclusions are set correctly and validated before being transferred to the engine.
Types of exclusions
There are three types of exclusions that can be defined in Datto AV: file, folder, and process exclusions.
The purpose of file and folder exclusions are to prevent the engine from flagging authorized software as unwanted or malicious. A file exclusion works by preventing the engine from scanning the specified file. A folder exclusion prevents the engine from scanning any file in the specified folder structure.
Process exclusions help minimize software conflicts and improve performance for applications that access file systems extensively. A process exclusion will tell the engine to ignore the file system activity of a process.
Defining exclusions
Requirements
- Folder exclusion: Requires a trailing backslash and applies recursively to subfolders.
Format examples:- C:\folder1\
- \\folder4\folder5\
- File exclusion: Must not end with a trailing backslash, otherwise, it will be considered as a folder exclusion.
Format examples:- C:\folder2\file.exe
- \\folder8\folder9\file2.exe
- Process exclusion: Requires the full image path, not just a process name.
Format examples:- C:\folder1\process.exe
- \\folder5\folder6\process2.exe
Case-sensitive paths are preferred but not required for local paths.
Wildcards
- * is supported as a dynamic substitution in folders, file extensions, and filenames.
- Wildcards are not supported for designating ANY drives. For example,
*:\Program Files
must be entered asC:\Program Files
. - Wildcards in folders only exclude at a single level and will not recurse (for example,
C:\Users\*\file.exe
won’t matchC:\Users\Chris\Desktop\file.exe
). - Wildcards are not supported for network paths.
- A race condition can occur for newly written files, for example, temp files, using unknown casing resulting an unwanted quarantine action. If this occurs, add the newly observed path variation to exclusions and restore the file.
Network path considerations
- Events on network drives: These are always reported via the UNC path. Specifying mapped drive letters will have not have an affect.
- Case sensitive: Network path exclusions are always case sensitive.
- No wildcards: Wildcards are not supported in network paths. The exclusion must be the full UNC file or folder path.
Correctly defined exclusion examples
Below are examples of correctly defined exclusions.
File exclusion examples
C:\Program Files (x86)\iprobusinesssystems\upsrate.exe
C:\ProgramData\iprobusinesssystems\*.exe
C:\ProgramData\iprobusinesssystems\rgb*.exe
C:\Users\*\Downloads\file.exe
\\servername\share2\file.exe
Folder exclusion examples
C:\Program Files (x86)\iprobusinesssystems\
C:\Users\*\Documents\GitHub\
C:\Users\*\appData\Local\CentraStage\4.*\scripts\
\\servername\share2\folder2\
Process exclusion examples
C:\Progress\OpenEdge\bin\prowin.exe
C:\Progress\OpenEdge\bin\mprosrv.exe
Incorrectly defined exclusion examples
Below are examples of incorrectly defined exclusions that won't work as expected.
*\folder1\download.exe
\\folder2\*\folder3\file.exe
%DRIVELETTER%\folder1\file1\
C:\folder4\process.*
Additional considerations
Additional requirements
- All links, for example, symbolic links, must be resolved upfront.
- Environment variables in path elements are not supported.
- Using Prefix
\\?\
: This changes the exclusion to a literal case sensitive path with no wildcard expansion. You may see this prefix in the alert telemetry or on the local AV configuration file. The AV engine will automatically prepend these characters when adding the exclusion to a local file. You don't need to enter these characters unless you want to enter the exclusion as a literal path as noted above.
Wildcards and path sensitivity
- Wildcards and case insensitivity are both achieved through dynamic path expansion. This means matching files/folders and alternative casings are resolved on disk and added to exclusions as they are found on each endpoint.
For example,c:\users\*\file.exe
can result in the exclusionsC:\Users\JohnD\file.exe
andC:\Users\ChrisG\FILE.EXE
being added on that specific endpoint.
- A Datto AV alert will report the observed casing in the field originalPath.
Performance
- Too many exclusion entries can lead to reduced performance. Consider a nested approach (folder exclusions) where applicable.
- Where possible, we recommend using a folder exclusion over a wildcard as folder exclusions are more effective and reliable than exclusions with wildcards.
- Server Performance: AV-related system performance issues on servers are often caused by excessive rescanning of frequently accessed and changed files. This condition is resolved by applying the appropriate process and file/folder exclusions to the real-time protection policy. Specific exclusion lists should be provided by that software vendor.
Universal AV Exclusion
With Universal AV Exclusion, you can create file, folder, and process exclusions in a single list that can be inherited by any Datto Antivirus policy. This makes managing your Datto AV exclusions easier.
Universal AV Exclusion is accessed on the Policies page. You create the exclusion list via the Create Exclusion button.
The list can be inherited by any Datto AV policy by enabling Include Universal AV Exclusion within the desired AV policy.
How to...
- On the top navigation bar, click Policies.
- Your Policy List is displayed. For the applicable Datto Antivirus policy, click the ellipses menu.
- Select Edit.
- Expand the Exclusions section.
- Click the Add Exclusion button.
- In the Add Exclusion modal:
- To add another exclusion, repeat step 6.
- In the upper-right corner of the Edit Policy page, click Save.
- On the top navigation bar, click Policies.
- In the left navigation menu, select Universal AV Exclusion.
- To create your list of exclusions:
- Click the Create Exclusion button.
- The Create Exclusion modal is displayed. In the Path field, enter the exclusion.
- In the Type list, select Folder, File (selected automatically), or Process.
- Click the Add button.
The exclusion is listed in the Universal AV Exclusion table. - To add another exclusion, repeat steps 3a-d.
- Click the Create Exclusion button.
- To include the Universal AV Exclusion list in a Datto AV policy: