Environment

• EDR Server: 7.6.1 and higher
• EDR Windows Sensor: 7.3.0 and higher

Objective

Resolution

1. Modify /etc/cb/cb.conf to include: 

   EventExclusionsEnabled=True

2. Restart the EDR server or cluster.
3. In the EDR console, Sensors > Groups, click the gear icon next to the sensor group.
4. Expand Exclusions bar and click Add Exclusion button.
5. Add one or more path, one path per line. See examples below.
6. Select the options below to filter for that path.  ('Process information' and 'Network connections' options are ignored)
7. Click 'Ok' button.
8. Click 'Save Group' button.

Additional Notes

• Paths are for process backed binary executables (.exe).
• Paths are case sensitive.
• Paths must not contain forward slashes.
• Paths must contain a drive letter, a valid environment variable (which yields a drive letter) or a wildcard prior to the fist backslash.
• Paths may contain multiple wildcard characters.
• Valid path exclusion examples:

C:\somefile.exe
C:\somedir\somefile.exe
C:\*\somefile.exe
*\somefile.exe
*somefile.exe
*\somedir\some*file.exe
%SystemRoot%\System32\cmd.exe

Related Content

• EDR: Why are Events Appearing After Windows Exclusions Have Been Created?
• EDR: Why are NetConns Reporting After Windows Exclusions Have Been Applied?