Getting Started
Trust CenterTourStatusPageSupport

What is an Exclusion?

Suggest Edits

Exclusions are used by Stairwell Forwarders to override the decision to upload a file. These exclusions are implemented in the form of a list of file globs that are sent to the forwarder, and are configurable via asset policy . The Stairwell forwarders support two types of exclusions: Do not upload exclusions and Do not scan exclusions. These exclusions are path-based and override the policy's extension list.

Do Not Upload Exclusions

Do not upload exclusions apply to all backscan, and real-time events (including image loads and new / modified files).

Example 1:

.jar is in the policy's extensions list, so the forwarder will upload any .jar files that it sees during a back scan, and any new or modified .jar files.

However, the policy also contains a Do not upload exclusion with the glob **/do_not_upload*.jar.

Consider the following files:

C:\Users\User1\AppData\Local\Temp\do_not_upload.jar
C:\MyDir\do_not_upload_this.jar
E:\Java\Jars\do_not_upload_this_either.jar

In the above cases, each file would initially selected as a candidate for upload. However, each path matches our Do not upload glob and so the file will not be uploaded.

Example 2:

A DLL C:\Windows\clean\injected.dll is loaded into C:\Windows\system32\notepad.exe , resulting in the forwarder receiving an ImageLoad event for injected.dll.

However, in this example, the policy also contains a Do not upload exclusion for c:\**\clean\*.dll, which matches this DLL’s file path and will prevent the file from being uploaded.

Do not scan exclusions

Do not scan exclusions apply only to files selected by the back scan. Real-time processing is not affected.

Example:

.py is in the policy extensions list, so any file ending with .py will be uploaded. A backscan is running, and enumerates the file C:\Users\User1\Desktop\mysecrets.py. In this example, the policy contains is a Do not scan exclusion with the glob **\*secret*.py. Even though the file is in the extensions list, it matches our exclusion and will not be uploaded during the backscan.

However, if the file is modified, this will come through as a real-time event, and the forwarder will upload the file.

Updated 28 days ago