topic Exclusion process cortex?! in Cortex XDR Discussions

Exclusion process cortex?!

tlmarques — Mon, 04 Mar 2024 13:04:41 GMT

Hi,

How can I create an exclusion in to stop it from scanning a specific executable??

We have a critical software in our company, and we've noticed that Cortex is constantly analyzing it, causing the machine high CPU and MEM.

How can we exclude this file from the analysis? We want to maintain protections such as Ransomware, just excluding the process monitoring.
It's possible?

Re: Exclusion process cortex?!

jmazzeo — Mon, 04 Mar 2024 13:36:14 GMT

Hi @tlmarques, thanks for reaching us using the Live Community.

You need to create a Disable Prevention Rule.

Go to Settings - Exceptions Configuration - Disable Prevention Rules, create a new one, set the name and fill the parameters:

- Set the target properties, folder location and executable name, command line, or you can use the signer. Only one is enough.

- Module: try with the Local Analysis and check how it goes, if it is an in-house software it is probably "Unknown" for Wildfire and the agent tries to analyze it locally, consuming CPU and RAM to do it.

- Scope: select the applied profile to the Endpoints with the issue.

You can also go to Detecion Rules - IOC and add an IOC with the application path and/or executable hash (ni the "Type" field):

Let me know how it goes.

If this post solved your question, please mark it as the solution.

Re: Exclusion process cortex?!

Arman_Zaheri — Fri, 14 Mar 2025 08:19:36 GMT

Hi,

I found your response very insightful and helpful. I just have a question. How can I know which module to select when creating that prevention profile? In my case, it's also an in-house developed software which its developer reported performance issues. For example, should I select "Wildfire" and "Behavioral Threat Protection" together, or just one of them suffices? How can I find which module(s) is/are more relevant to this performance issue?

BR,

Re: Exclusion process cortex?!

Kahlilp — Wed, 02 Jul 2025 08:51:48 GMT

In selecting the scope you are given the choice of Global or Exceptions Profile.

However when you go to the Exceptions profile, the folder/path I specified is not in any of the modules there. If I go to the Malware Profile for example (because I selected Wildfire in the choices -- it also doesn't show up in any of the malware profile -- because the scope is Exception Profile.)

In short, where do I confirm that the folder/path I specified in the Disable Prevention Rule is in place -- surely its not in any of the Exception profiles.

Re: Exclusion process cortex?!

tlmarques — Wed, 02 Jul 2025 11:55:37 GMT

you need to add the exception profiles to the policy first. Once the policy appears...

Re: Exclusion process cortex?!

SEKKDK — Fri, 12 Dec 2025 08:13:36 GMT

What is the difference between a process exception and a operational agent exception? Is it that on process exception you select which module one wants to exclude it from.
Is there any documentation anywhere all these different exceptions are described in detail and when they should be used?

Also how does it differ from a Disable Prevention Rules.

regards

Mike.