Adding file and folder exclusions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Adding file and folder exclusions

L0 Member

We have  a security camera server that's been throwing out low memory resource messages and the company that provides the software claims that Cortex XDR endpoint client is causing memory leaks. There are no incidents being triggered by this server and the memory usage of Cortex is always under 1GB of memory. They have provided documentation that appears to be geared more toward traditional antivirus software to add folder and file exceptions from the software. I don't see in the XDR control console a place for me to make these exceptions unless there was an incident or to allow list a vendor or hash. Does this seem like they're grasping for something to be the issue or can anyone help guide me on how to add these exceptions. Below is the document they provided to help understand what they're asking of us to do.

 

https://support.avigilon.com/s/article/ACC-Files-and-Folders-to-be-Added-to-An-Antivirus-Exclusion-L...

1 accepted solution

Accepted Solutions

L4 Transporter

Hi @JLawrence-Serra, thanks for reaching the Live Community.

You can create exceptions rules to avoid files or folder for being scanned by the XDR Agent modules.

You need to create a "Disable Prevention Rule", this is located at Settings → Exception Configuration → Disable Prevention Rules

 

This is the official doc: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-Disab...

 

I recommend creating the rule and apply this only to the Profile that is assigned to this endpoints.

When you define the rule, note that you can use wildcards for the folder definitions. In your case, you will need to create more than one rule to cover all the required folders.

 

jmazzeo_0-1697653610262.png

 

I think this can solve your inquiry.

JM

View solution in original post

4 REPLIES 4

L4 Transporter

Hi @JLawrence-Serra, thanks for reaching the Live Community.

You can create exceptions rules to avoid files or folder for being scanned by the XDR Agent modules.

You need to create a "Disable Prevention Rule", this is located at Settings → Exception Configuration → Disable Prevention Rules

 

This is the official doc: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-Disab...

 

I recommend creating the rule and apply this only to the Profile that is assigned to this endpoints.

When you define the rule, note that you can use wildcards for the folder definitions. In your case, you will need to create more than one rule to cover all the required folders.

 

jmazzeo_0-1697653610262.png

 

I think this can solve your inquiry.

JM

Thank you very much for your help! That helped solve my problem! I appreciate the details you provided in the screen shot.

L0 Member

Hello,

We are implementing FSlogix profiles in our environment. Is the solution you provide here enough? If I need to do something else or different, let me know.

This is the exclusion that I need to add per Microsoft documentation:

File / folder exclusions

  • %TEMP%\*\*.VHD

  • %TEMP%\*\*.VHDX

  • %Windir%\TEMP\*\*.VHD

  • %Windir%\TEMP\*\*.VHDX

  • \\server-name\share-name\*\*.VHD

  • \\server-name\share-name\*\*.VHD.lock

  • \\server-name\share-name\*\*.VHD.meta

  • \\server-name\share-name\*\*.VHD.metadata

  • \\server-name\share-name\*\*.VHDX

  • \\server-name\share-name\*\*.VHDX.lock

  • \\server-name\share-name\*\*.VHDX.meta

  • \\server-name\share-name\*\*.VHDX.metadata

    Cloud Cache specific exclusions

  • %ProgramData%\FSLogix\Cache\* (folder and files)

  • %ProgramData%\FSLogix\Proxy\* (folder and files)

    Prerequisites for FSLogix - FSLogix | Microsoft Learn
    Thank you in advance for your guidance.



Hi @J.Bravo779077, we don't recommend to add exceptions before installing the agent. Those recommendations are for legacy antivirus solutions, any modern EDR solution like XDR works monitoring behaviors of the running applications.

You can create a "report only" profile and apply it to this kind of servers and then monitor if the agent detects something from this application as malicious, and then create the exceptions based on the XDR agent detections.

JM
  • 1 accepted solution
  • 2788 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!