Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Gov F2, and Horizon
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.
Not an Incydr customer? For CrashPlan articles, search or browse.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, no.

Retired product plans, no.

CrashPlan for Small Business, no.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

File event exclusions

Overview

Use file event exclusions to define a list of file types and file paths to exclude from Incydr monitoring. Excluding file types and paths prevents user devices from consuming resources to index file activity you're not interested in monitoring. It also prevents irrelevant or unimportant file events from appearing in dashboard visualizations, alerts, and Forensic Search results. 

This article describes how to set and manage file event exclusions in the Code42 console. 

Considerations 

What is excluded?

In general, file event exclusions apply to endpoint activity on disk, not exfiltration. For example, Incydr still detects files in excluded paths being uploaded via a browser or moved to removable media.

See the table below for details about how each exclusion type affects detection of file exfiltration activity. In the table:

  • Excluded = file activity is not detected
  • Not excluded = file activity is detected
  Detection type
  All file activity / File metadata collection Cloud sync applications Removable media Browser and other app activity Print
Directory exclusion 1 Excluded Excluded 2 Not excluded 3 Not excluded Not excluded
File extension exclusion 1 Excluded Excluded Excluded Not excluded Not excluded
Filename exclusion (via regex) Excluded Excluded Excluded Not excluded Not excluded

1 Directory and file extension exclusions created via a custom regular expression (regex) follow the same rules as those created via the dedicated fields below.

2 If the cloud sync directory is excluded (for example C:\Users\Username\Google Drive), sync activity within that directory is excluded. However, if a file in that directory is uploaded via a web browser or moved to removable media, that exfiltration activity is still detected.

3 Files moved from an excluded path to removable media are detected, unless the removable media destination path itself is also excluded.

File event exclusions

To view file event exclusions: 

  1. Sign in to the Code42 console.
  2. Select Administration > Environment > File event exclusions

File event exclusions list with annotations

Item Description
a Create exclusion Creates a file event exclusion.
b Exclusion

The file extension, directory, or regular expression being excluded.

Regular expressions are case sensitive
Exclusions entered using regular expressions are case sensitive. Code42 evaluates the regular expression as entered, taking any capitalization used into account.

File extension or directory exclusions are not case sensitive.
c Type The file event exclusion type.
d Operating System The operating system to which the file event exclusion applies. 
e Edit Click to edit the file event exclusion. 
f Delete Click to delete the file event exclusion. 

Create exclusion

To create file event exclusions:

  1. Sign in to the Code42 console.
  2. Select Administration > Environment > File event exclusions
  3. Click Create exclusion
    Create exclusion
  4. Select the operating system to which the exclusion applies. 
  5. Select an exclusion type. 
  6. Click Next
    The following options vary based on exclusion type: file extension, directory, or regular expression.  

File extension

To exclude file events by file extension:

  1. Enter the file extension, without the leading period.
    File extension exclusions are not case sensitive.
  2. (Optional) Add multiple file extension exclusions in one step by clicking the plus  icon.

    Create file extension exclusion

  3. Click Create.

Directory 

To exclude file events by directory: 

  1. Choose Path prefix or Contains
  2. Enter the prefix or string. Do not use wildcards.
    Directory exclusions are not case sensitive.  
    • Path prefix: For Windows, the prefix must start with a letter. For Mac and Linux, it must start with a / . For example: 
      • Windows: C:/proc/
      • Mac: /Library/Application Support/Code42-AAT/Data/logs/
      • Linux: /usr/local/qualys/cloud-agent/
    • Contains: For example: 
      • Windows: /Mozilla/Firefox/.cache./
      • Mac: /Library/Application Support/CrashReporter/
      • Linux: /Mozilla/Firefox/.cache./
  3. (Optional) Add multiple file extension exclusions in one step by clicking the plus  icon.

    Create directory exclusion

  4. Click Create.

Regular expression 

A regular expression (regex) is a search pattern that locates files and folders containing a specific sequence of characters by comparing that sequence to absolute file paths on your device. You can use the power of regular expressions to fine-tune and allow for more complex file event exclusion rules.

Test your regular expressions
Because these types of regular expressions are often complex, it is especially important to test any regular expressions thoroughly prior to deployment in a production environment. Our Customer Champions can't help validate your regular expressions.

Remember that regular expressions are case sensitive. Code42 evaluates the regular expression as entered, taking any capitalization used into account.

Regular expression examples:

  • Any operating system: ^/proc/.*'
  • Windows: ^.:/Users/[^/]*/AppData/.*
  • Mac: ^/Users/[^/]*/Library/.*\.db
  • Linux: ^/dev/shm$

Create regex exclusion

Manage exclusions

To view, edit, or delete a file event exclusion, see the File event exclusions list

  • Was this article helpful?