Skip to main content
All CollectionsCYFOX XDRBest Practices
How To Exclude A File/Folder From Being Scanned
How To Exclude A File/Folder From Being Scanned
Omer Kushmirski avatar
Written by Omer Kushmirski
Updated over a week ago

Starting in June 2024, with AG.AI version 2.2, clients will be able to manually exclude specific files and folders from being scanned and mitigated by the Agent. This feature allows users to ignore Agent recommendations and active mitigations for various reasons, such as false positives, specific penetration testing scenarios, troubleshooting and more.

There are two options to set exclusions so the Agent will know not to scan specific files:

Exclude a Specific File

Exclude a Whole Folder

By choosing this option, the user will need to add the specific file and the file's hash for reference. The Agent will then know to ignore this file.

By choosing this option, the user will set a path to a folder. The Agent will then exclude everything within this folder from being scanned.

Policy Configuration

Similar to any other Agent's event response rule, to exclude a file using any method, the user will need to go to the Policy Agent Configuration Pane. To access it:

  1. Go to the Policy menu item.

  2. Choose the Event Response sum-menu item

  3. Scroll Down to the Agent Policy Section.

Reminder: Agent Policy Rule Structure

An Agent's rule is based on the following parameters:

  • Level - Determines the applicability of the rule. The available scopes are global (all agents), group, or a specific endpoint.

  • Event - The event that activates the rule.

  • Action - The action executed when the trigger event occurs.

Configure File/Folder Exclusion

To configure an exclusion rule, the user needs to access the Agent Policy Section as mentioned above and add a new rule.


To add a new rule: Click on "Add" next to the Agent Policy title.
โ€‹

Inside the Rule Creation pop-up, the user will need to set the scope where the rule should be applied, and then choose the relevant event - File/Folder Exclusion.

Configuring Exclusion Method

Once the event type File/Folder Exclusion has been selected, the action will be set to Exclude by default.

Referring back to the two modes mentioned at the start of the guide, the user will then need to choose one of the modes, either File or Folder Exclusion, using the provided toggle.

Folder Exclusion

If the folder option is chosen, the user will need to set the path to the folder. It is possible to add multiple folders within a single rule.

To add a path:

  1. Click on the input field next to the Folder Path List and enter the path.

  2. Press Enter to save the path.

Each value will be saved as a tag, meaning it can also be removed using the "X" button next to the text. Repeat this process to add as many items as needed.

Each path will be saved as a separate tag within the same input field.


โ€‹

File Exclusion

  1. To exclude a file, follow the same process but choose the File option.

  2. You can either specify the file path or add the file identifier (MD5 hash) of the specific file.

Important note !

To add multiple hashes or paths, use multiple selections under the same rule, not different rules.

The hierarchy between the groups (global/groups/users) determines which rule applies and when a rule will be overridden. For example, a specific rule for one user will overrule the global rule.

Defining the same rule twice with different values can cause classification issues, leading to errors. Therefore, to define several values (e.g., multiple paths), add them under the same rule.

Notes & Tips

  • If a file was mitigated before an exclusion policy was applied, it first needs to be released using the mitigation window. The file exclusion policy won't automatically release the file, even if the policy was applied.

  • To check the MD5 hash of a file on Windows, you can use the built-in utility CertUtil. Here are the steps:

    Open Command Prompt:

    • Press Win + R to open the Run dialog.

    • Type cmd and press Enter to open the Command Prompt.

    Run the CertUtil Command:

    In the Command Prompt window, type the following command and press Enter:

    certutil -hashfile path_to_file MD5

    Replace path_to_file with the full path to the file you want to check. For example, if your file is located at C:\Users\YourName\Documents\example.txt, the command would be:

    certutil -hashfile C:\Users\YourName\Documents\example.txt MD5

    View the Output

    After running the command, you will see an output that includes the MD5 hash of the file. It will look something like this:

    MD5 hash of file C:\Users\YourName\Documents\example.txt:
    d41d8cd98f00b204e9800998ecf8427e
    CertUtil: -hashfile command completed successfully.

    The string d41d8cd98f00b204e9800998ecf8427e is the MD5 hash of the file.

More Resources

Related Articles
How to apply USB Protection and Control Rules
Installing CYFOX Agent - User guide
AG.AI Version 2 Updates
XDR Version 2 Updates
How to re-install agent in "Server" Mode
Did this answer your question?