Create Anti-Malware exceptions

Files that are not malicious can be falsely identified as malware if they share certain characteristics with malware. If a file is known to be benign and is identified as malware, you can create an exception for that file or the rule which detected the file. When an exception is created, Server & Workload Protection does not trigger an event for the excepted file or rule.

For an overview of the Anti-Malware module, see Protect against malware.

Note

You can also exclude files from real-time, manual, and scheduled scans. See Specify the files to scan.

Exceptions can be created for the following types of malware and malware scans:

Anti-Malware scans
Predictive Machine Learning scans (for information, see Detect emerging threats using Predictive Machine Learning.)
Scans for spyware and grayware (for information, see Scan for spyware and grayware)
Behavior monitoring protection (for information, see Enhanced Anti-Malware and ransomware scanning with behavior monitoring)

You can also exclude files from Anti-Malware scanning if they are signed by a trusted certificate. This feature is supported with version 20.0.0-3445+ agents on Windows. For details, see Exclude files signed by a trusted certificate.

Server & Workload Protection maintains a list of exceptions for each type of malware scan in policy and computer properties.

To see the lists of exceptions, open the policy or computer editor.
Click Anti-Malware → Advanced.

You can view and edit the following exception lists:

Allowed Spyware/Grayware: Allow applications identified as Spyware or Grayware to remain on some systems. Use the Anti-Malware spyware detection events to add exceptions.
Rule Exceptions: Create detection exceptions based on rule ID. Locate rule IDs by viewing events in Events & Reports. Rule exceptions apply to both Anti-Malware Scans and Behavior Monitoring.
Behavior Monitoring Protection Exceptions: Exempt files from Behavior Monitoring Protection detection.
Predictive Machine Learning Detection Exceptions: Exempt files based on the SHA1 hash.
Trusted Certificates Detection Exceptions: Choose whether to except files with a trusted certificate from detections.

Create a file exception from an Anti-Malware event

When a file is identified as malware, Server & Workload Protection generates an Anti-Malware event. If you know that the file is benign, you can create an exception for the file from the event report.

Click Events & Reports → Events → Anti-Malware Events and locate the malware detection event.
Right-click the event.
Select Allow.

Manually create an Anti-Malware exception

Note

Creating more than 512 Anti-Malware exception entries will cause exceptions to stop working.

You can manually create Anti-Malware exceptions using the exception lists. To add an exception manually, you need specific information from the Anti-Malware event that the scan generated. The type of malware or scan determines the information that you need:

Spyware or grayware: The value in the "MALWARE" field of the Anti-Malware Event. For example, SPY_CCFR_CPP_TEST.A.

Rule exceptions: The rule ID found in the Threat Information section of the Anti-Malware Event Viewer. For example, RAN4685T

Note

Rule IDs are case sensitive. Creating rule exceptions using rule ID for machine learning-related TRX malware (such as Ransom.Win32.TRX) or VSAPIX malware (such as Trojan.Win32.VSX.PE04C93) is not supported at this time.

Behavior monitoring: The process image path. For example, C:\test.exe.
Predictive machine learning: The SHA1 digest of the file from the "FILE SHA-1" field of the Anti-Malware Event. For example, 3395856CE81F2B7382DEE72602F798B642F14140.

Important

Rule exceptions does not support adding Predictive Machine Learning rules. These include rules which contain TRX or VSX in the rule ID.
You can specify up to 256 rule IDs for Rule exceptions. Policies can only support up to a total of 512 rules (256 inherited from parent policy plus 256 additionally defined rules.)
Rule IDs are case sensitive.

Click Events & Reports → Events → Anti-Malware Events and copy the field value that is required to identify the malware.
Open the policy or computer editor where you want to create the exception.
Click Anti-Malware → Advanced.
Add the information to the appropriate exceptions list.
Click Add.

Exception List Wildcard Support

The Behavior Monitoring Protection Exceptions list supports the use of wildcard characters when defining file path, file name, and file extension exception types. Use the following table to properly format your exception lists to ensure that Server & Workload Protection excludes the correct files and folders from scanning.

Supported wildcard characters:

Asterisk (*): Represents any character or string of characters

Note

The Behavior Monitoring Protection Exceptions list does not support the use of wildcard characters to replace system drive designations or within Universal Naming Convention (UNC) addresses.

Exception Type

Wildcard Usage

Matched

Not Matched

Directories

C:\*

Excludes all files and folders on the specified drive

```
C:\sample.exe
```
```
C:\folder\test.doc
```

```
D:\sample.exe
```
```
E:\folder\test.doc
```

Specific files under a specific folder level

C:\*\Sample.exe

Excludes the Sample.exe file only if the file is located in any subfolder of the C:\ directory

```
C:\files\Sample.exe
```
```
C:\temp\files\Sample.exe
```

```
C:\sample.exe
```

Universal Naming Convention (UNC) paths

\\<UNC path>\*\Sample.exe

Excludes the Sample.exe file only if the file is located in any subfolder of the specified UNC path

```
\\<UNC path>\files\Sample.exe
```
```
\\<UNC path>\temp\files\Sample.exe
```

```
R:\files\Sample.exe
```
Reason: Mapped drives are not supported.
```
\\<UNC path>\Sample.exe
```
Reason: The file does not exist within a subfolder of the UNC path.

File names and extensions

C:\*.*

Excludes all files with extensions in all folders and subfolders of the C:\ directory

```
C:\Sample.exe
```
```
C:\temp\Sample.exe
```
```
C:\test.doc
```

```
D:\sample.exe
```

C:\Sample

Note

Because C:\Sample does not have a file extension, it is not a match for the exception.

File names

C:\*.exe

Excludes all files with the .exe extension in all folders and subfolders of the C:\ directory

```
C:\Sample.exe
```
```
C:\temp\test.exe
```

```
C:\Sample.doc
```
```
C:\temp\test.bat
```

C:\Sample

Note

Because C:\Sample does not have a file extension, it is not a match for the exception.

File extensions

C:\Sample.*

Excludes all files with the name Sample and any extension in the C:\ directory

```
C:\Sample.exe
```

```
C:\Sample1.doc
```
```
C:\temp\Sample.bat
```

C:\Sample

Note

Because C:\Sample does not have a file extension, it is not a match for the exception.

Files in specific directory structures

C:\*\*\Sample.exe

Excludes all files located within the second subfolder level or any subsequent subfolders of the C:\ directory with the file name and extension Sample.exe

```
C:\files\temp\Sample.exe
```
```
C:\files\temp\test\Sample.exe
```

```
C:\Sample.exe
```
```
C:\temp\Sample.exe
```
```
C:\files\temp\Sample.doc
```

Exception strategies for spyware and grayware

When spyware is detected, the malware can be immediately cleaned, quarantined, or deleted, depending on the malware scan configuration that controls the scan. After you create the exception for a spyware or grayware event, you might have to restore the file. (See Restore identified files.)

Alternatively, you can temporarily scan for spyware and grayware with the action set to "Pass" so that all spyware and grayware detections are recorded on the Anti-Malware Events page but not cleaned, quarantined, or deleted. You can then create exceptions for the detected spyware and grayware. When your exception list is robust, you can set the action to "Clean", "Quarantine", or "Delete" modes.

For information about setting the action, see Configure how to handle malware.

Scan exclusion recommendations

The best and most comprehensive source for scan exclusions is from the software vendor. The following are some high-level scan exclusion recommendations:

Quarantine folders (such as SMEX on Microsoft Windows Exchange Server) should be excluded to avoid rescanning files that have already been confirmed to be malware.
Large databases and database files (for example, dsm.mdf and dsm.ldf) should be excluded because scanning could impact database performance. If it is necessary to scan database files, you can create a scheduled task to scan the database during off-peak hours. Since Microsoft SQL Server databases are dynamic, exclude the directory and backup folders from the scan list:

For Windows:

${ProgramFiles}\Microsoft SQL Server\MSSQL\Data\

${Windir}\WINNT\Cluster\ # if using SQL Clustering

Q:\ # if using SQL Clustering

For Linux:

/var/lib/mysql/ # if path is set to this Data Location of MySQL in the
                     machine.

/mnt/volume-mysql/ # if path is set to this Data Location of MySQL in the
                     machine.

For a list of recommended scan exclusions, see the Trend Micro recommended scan exclusion list. Microsoft also maintains an Anti-Virus Exclusion List that you can use as a reference for excluding files from scanning on Windows servers.

Exclude files signed by a trusted certificate

If you have signed applications and want to exclude all activities of those processes from real-time Anti-Malware scanning (including file scans, behavior monitoring, and predictive machine learning), you can add the digital certificate to your trusted certificate list in Server & Workload Protection.

Note

This type of exclusion is supported with version 20.0.0-3549+ agents on Windows.

In the policy or computer editor, go to Anti-Malware → Advanced.
In the Trusted Certificates Detection Exemptions section, set Exclude files with trusted certificate to "Yes" or "Inherited (Yes)".
Select Manage Certificate List.
The Trusted Certificates window displays any certificates you have imported. Select Import From File to add another one for scan exclusions.
Choose the certificate file and then select Next.
Review the certificate summary that's displayed and set Trust this certificate for to Scan Exclusions. Select Next.
The Summary page indicates whether the import was successful. Select Close.

The imported certificate appears in the Trusted Certificates list with the Purpose listed as Exception.

Tip

Server & Workload Protection checks the exemption list when a process starts. If a process is running before the exemption is configured, the process won't be added to the exemption list until it is restarted.