File event exclusions

Overview

Use file event exclusions to define what file activity to exclude from Incydr monitoring. Excluding files by path or process prevents user devices from consuming resources to index file activity you're not interested in monitoring. It also prevents irrelevant or unimportant file events from appearing in dashboard visualizations, alerts, and Forensic Search results. 

This article describes how to set and manage file event exclusions in the Code42 console. 

Considerations 

  • File event exclusions apply to all organizations and devices in your Code42 environment. 
  • To view and modify file event exclusions, you must have the Security Administrator or Customer Cloud Admin role.
  • Process exclusions only apply to the insider risk agent. Path exclusions apply to all agent types. 

What is excluded?

In general, file event exclusions apply to endpoint activity on disk, not exfiltration. For example, Incydr still detects files in excluded paths being uploaded via a browser or moved to removable media.

See the table below for details about how each exclusion type affects detection of file exfiltration activity. In the table:

  • Excluded = file activity is not detected
  • Not excluded = file activity is detected
  Detection type
  All file activity / File metadata collection Cloud sync applications Removable media Browser and other app activity Print

Path

Directory exclusion 1

Excluded Excluded 2 Not excluded 3 Not excluded Not excluded

Path

File extension exclusion 1

Excluded Excluded Excluded Not excluded Not excluded

Path

Filename exclusion (via regex)

Excluded Excluded Excluded Not excluded Not excluded
Process exclusion Excluded Excluded Excluded Not excluded Not excluded

1 Directory and file extension exclusions created via a custom regular expression (regex) follow the same rules as those created via the dedicated fields below.

2 If the cloud sync directory is excluded (for example C:/Users/Username/Google Drive), sync activity within that directory is excluded. However, if a file in that directory is uploaded via a web browser or moved to removable media, that exfiltration activity is still detected.

3 Files moved from an excluded path to removable media are detected, unless the removable media destination path itself is also excluded.

File event exclusions

To view file event exclusions: 

  1. Sign in to the Code42 console.
  2. Select Administration > Environment > File event exclusions

File event exclusions list

Item Description
a Create exclusion Creates a file event exclusion, either by path or process.
b Path Exclusions Displays the list of exclusions by path.
c Process Exclusions

Displays the list of exclusions by process.

 

Process exclusions only apply to the insider risk agent. 

d Exclusion

The file extension, directory, or regular expression being excluded.

Regular expressions are case sensitive
Exclusions entered using regular expressions are case sensitive. Code42 evaluates the regular expression as entered, taking any capitalization used into account.

File extension or directory exclusions are not case sensitive.
e Type The file event exclusion type.
f Operating System The operating system to which the file event exclusion applies. 
g Edit Click to edit the file event exclusion. 
h Delete Click to delete the file event exclusion. 

Create exclusion

To create file event exclusions:

  1. Sign in to the Code42 console.
  2. Select Administration > Environment > File event exclusions
  3. Click Create exclusion
  4. Choose either:
  5. Select the operating system to which the exclusion applies. 
  6. Select an exclusion type. 
  7. Click Next
    The following options vary based on exclusion type.

Path exclusions

When creating a path exclusion, you can create one by file extension, directory, or regular expression

File extension

To exclude file events by file extension:

  1. Enter the file extension, without the leading period.
    File extension exclusions are not case sensitive.
  2. (Optional) Add multiple file extension exclusions in one step by clicking the plus  icon.

    Create file extension exclusion

  3. Click Create.

Directory 

To exclude file events by directory: 

  1. Choose Path prefix or Contains
  2. Enter the prefix or string. Do not use wildcards.
    Directory exclusions are not case sensitive.  
    • Path prefix: For Windows, the prefix must start with a letter. For Mac and Linux, it must start with a / . For example: 
      • Windows: C:/proc/
      • Mac: /Library/Application Support/Code42-AAT/Data/logs/
      • Linux: /usr/local/qualys/cloud-agent/
    • Contains: For example: 
      • Windows: /Mozilla/Firefox/.cache./
      • Mac: /Library/Application Support/CrashReporter/
      • Linux: /Mozilla/Firefox/.cache./
  3. (Optional) Add multiple file extension exclusions in one step by clicking the plus  icon.

    Create directory exclusion

  4. Click Create.

Regular expression 

A regular expression (regex) is a search pattern that locates files and folders containing a specific sequence of characters by comparing that sequence to absolute file paths on your device. You can use the power of regular expressions to fine-tune and allow for more complex file event exclusion rules.

Test your regular expressions
Because these types of regular expressions are often complex, it is especially important to test any regular expressions thoroughly prior to deployment in a production environment. Our Technical Support Engineers can't help validate your regular expressions.

Remember that regular expressions are case sensitive. Code42 evaluates the regular expression as entered, taking any capitalization used into account.

Regular expression examples:

  • Any operating system: ^/proc/.*'
  • Windows: ^.:/Users/[^/]*/AppData/.*
  • Mac: ^/Users/[^/]*/Library/.*\.db
  • Linux: ^/dev/shm$

Create regex exclusion

Process exclusions

Applies to the insider risk agent only

Use process exclusions to prevent Incydr from generating file events for any activity triggered by processes that don't add value to insider risk detection or investigation. Create a process exclusion by process name, process path, or regular expression

Process name

To exclude file events by process name: 

  1. Enter the process name as the name of the file on disk.
  2. (Optional) Add multiple processes in one step by clicking the plus  icon.
  3. Click Create

Process path

To exclude file events by process path: 

  1. Choose Full process path, Path prefix, or Contains
  2. Enter the prefix or string.  
    • Process path exclusions are not case sensitive. 
    • Do not use wildcards.
    • Use forward slashes (/).
    • When entering a Path prefix for Windows, the prefix must start with a letter. For Mac, it must start with a forward slash 
      (/).

Regular expression

A regular expression (regex) is a search pattern that locates files and folders containing a specific sequence of characters by comparing that sequence to absolute file paths on your device. You can use the power of regular expressions to fine-tune and allow for more complex file event exclusion rules. 

Test your regular expressions
Because these types of regular expressions are often complex, it is especially important to test any regular expressions thoroughly prior to deployment in a production environment. Our Technical Support Engineers can't help validate your regular expressions.

Remember that regular expressions are case sensitive. Code42 evaluates the regular expression as entered, taking any capitalization used into account. 

Use forward slashes (/) in your regular expressions.

Manage exclusions

To view, edit, or delete a file event exclusion, see the File event exclusions list