topic Re: Adding file and folder exclusions in Cortex XDR Discussions

Adding file and folder exclusions

JLawrence-Serra — Wed, 18 Oct 2023 17:22:10 GMT

We have a security camera server that's been throwing out low memory resource messages and the company that provides the software claims that Cortex XDR endpoint client is causing memory leaks. There are no incidents being triggered by this server and the memory usage of Cortex is always under 1GB of memory. They have provided documentation that appears to be geared more toward traditional antivirus software to add folder and file exceptions from the software. I don't see in the XDR control console a place for me to make these exceptions unless there was an incident or to allow list a vendor or hash. Does this seem like they're grasping for something to be the issue or can anyone help guide me on how to add these exceptions. Below is the document they provided to help understand what they're asking of us to do.

https://support.avigilon.com/s/article/ACC-Files-and-Folders-to-be-Added-to-An-Antivirus-Exclusion-List?language=en_US

Re: Adding file and folder exclusions

jmazzeo — Wed, 18 Oct 2023 18:28:43 GMT

Hi @JLawrence-Serra, thanks for reaching the Live Community.

You can create exceptions rules to avoid files or folder for being scanned by the XDR Agent modules.

You need to create a "Disable Prevention Rule", this is located at Settings → Exception Configuration → Disable Prevention Rules

This is the official doc: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-Disable-Prevention-Rule

I recommend creating the rule and apply this only to the Profile that is assigned to this endpoints.

When you define the rule, note that you can use wildcards for the folder definitions. In your case, you will need to create more than one rule to cover all the required folders.

I think this can solve your inquiry.

Re: Adding file and folder exclusions

JLawrence-Serra — Wed, 18 Oct 2023 18:56:01 GMT

Thank you very much for your help! That helped solve my problem! I appreciate the details you provided in the screen shot.

Re: Adding file and folder exclusions

J.Bravo779077 — Mon, 16 Sep 2024 14:50:13 GMT

Hello,

We are implementing FSlogix profiles in our environment. Is the solution you provide here enough? If I need to do something else or different, let me know.

This is the exclusion that I need to add per Microsoft documentation:

File / folder exclusions

%TEMP%\*\*.VHD
%TEMP%\*\*.VHDX
%Windir%\TEMP\*\*.VHD
%Windir%\TEMP\*\*.VHDX
\\server-name\share-name\*\*.VHD
\\server-name\share-name\*\*.VHD.lock
\\server-name\share-name\*\*.VHD.meta
\\server-name\share-name\*\*.VHD.metadata
\\server-name\share-name\*\*.VHDX
\\server-name\share-name\*\*.VHDX.lock
\\server-name\share-name\*\*.VHDX.meta
\\server-name\share-name\*\*.VHDX.metadata

Cloud Cache specific exclusions
%ProgramData%\FSLogix\Cache\* (folder and files)
%ProgramData%\FSLogix\Proxy\* (folder and files)

Prerequisites for FSLogix - FSLogix | Microsoft Learn
Thank you in advance for your guidance.

Re: Adding file and folder exclusions

jmazzeo — Fri, 20 Sep 2024 14:07:49 GMT

Hi @J.Bravo779077, we don't recommend to add exceptions before installing the agent. Those recommendations are for legacy antivirus solutions, any modern EDR solution like XDR works monitoring behaviors of the running applications.

You can create a "report only" profile and apply it to this kind of servers and then monitor if the agent detects something from this application as malicious, and then create the exceptions based on the XDR agent detections.