What is an Exclusion?

Exclusions are used as a way to override the decision to upload a file, and they apply to only the scenario where a file may be uploaded using the forwarder. These exclusions are implemented in the form of a list of file globs that are sent to the forwarder. There are two types of exclusions.

Do not upload exclusions

“Do not upload” exclusions apply to all back scan and real-time events (process start, image load, file written, file created), and they override the extensions list.

Example 1:

.jar is in the extensions policy list, so the forwarder will upload any JAR files that it sees during a back scan, and any JAR files that are created or modified. However, there is a “Do not upload” exclusion with the glob /do_not_upload*jar. Any file path that matches this glob will be excluded from upload. If the file C:\Users\Appdata\Local\Temp\do_not_upload_this.jar is created, the file would initially selected by the driver as a candidate for upload. However, that path matches the exclusion glob /do_not_upload*jar, and so the file would not be uploaded.

Example 2:

A DLL C:\Windows\temp\notinjected.dll is loaded into C:\Windows\system32\notepad.exe , resulting in an ImageLoad event from the forwarder, and the forwarder selecting not_injected.dll to potentially upload. However, the “Do not upload” exclusion policy has the glob */temp/_dll, which matches this DLL’s file path. So the DLL is not uploaded.

Do not scan exclusions

“Do not scan” exclusions apply to files selected by the back scan, and they override the extensions list.

Example:

.txt is in the extensions policy list, so any TXT files will be uploaded. A backscan is running, and enumerates the file C:\Users\Desktop\hubb\secritz.txt . There is also a “Do not scan” exclusion with the glob _/_secritz, which indicates to skip any file in any directory that contains the substring secritz. When the backscan first sees this file, it will initially consider it for uploading. However it will then apply all “Do not scan” exclusions in the active policy, and determine that the file should be excluded.

Exceptions to exclusions

There is an important exception to the extension feature of policies — during a back scan, the forwarder will open any file that doesn’t match the extensions list, and read the first two bytes of the file. If they match the magic MZ bytes, then the forwarder will select that file for uploading, even though it didn’t match an extension in the policy.

This exception does not apply to realtime events from the kernel mode driver. When a new file is written, or it is modified, the forwarder does not attempt to read the magic bytes. Only files that match the extensions policy list are candidates for upload.

The other exception is for ProcessStart and ImageLoad events from the driver. The forwarder does not look at the file extension for these events.

These exceptions do not bypass the the “do not upload” glob list.