This article is based on SentinelOne community documentation last updated on Jan 23 2025
Summary of Suppress Alerts Path Exclusions (Default) and Interoperability and Performance Focus Exclusions
Suppress Alerts Path Exclusions (Default)
Use default Path exclusions to suppress false positive alerts. When you exclude files or folders with default path exclusions, Agents monitor the files and processes but do not show alerts in the Console and do not mitigate detections. This also applies to detections in threat groups whose root process is in the excluded path or file.
When you create an exclusion from a detection and select File path, this is the type of exclusion created.
By default, Suppress Alert exclusions apply to alerts from all engines. You can set the Agent to suppress alerts from specified engines only:
Static AI - Suppress alerts from the Deep File Inspection engine.
Dynamic AI - Suppress alerts raised by Behavioral AI engines.
All engines (default) - Suppress all alerts.
Caution: Make sure the detection that the exclusion is based on is a false positive. Legitimate threats in the path will not be mitigated.
Interoperability and Performance Focus Exclusions
Interoperability or Performance Focus path exclusions are sometimes necessary to resolve issues with specific files or processes. With these exclusions, Agents reduce monitoring and mitigation of the excluded items.
Interoperability or Performance Focus exclusions have more risk than Suppress Alerts exclusions because all activities that start from or use the excluded item are not fully visible to SentinelOne Agents. This can affect mitigation if an excluded item is part of a malicious execution.
For Interoperability and Performance Focus exclusions on Windows : To guarantee the exclusion is applied, restart the process or reboot the endpoint. For processes that cannot be restarted, such as System processes or Anti-virus processes, you must reboot endpoints to apply or remove an exclusion. For processes that can be restarted, such as a browser, you can restart the process to apply or remove an exclusion.
Best Practice: We recommend that you restart all affected endpoints to apply or remove an Interoperability or Performance Focus exclusion.
Exclusion Modes in Detail
To maximize security, try to resolve interoperability or performance issues with the least severe option. Try the exclusion modes in the sequence shown. Use the Performance Focus options only if the Interoperability options do not resolve the issues.
Suppress Alerts (default Path exclusion): Do not display alerts or mitigate detections on the excluded processes.
If the root of a threat group is suppressed, events of the entire Storyline™ (including sub-processes) for the child processes are also suppressed and will not show alerts in the Console.
Usage example: Stop false positives from a specific file or process.
Caution: Make sure the detection that the exclusion is based on is a false positive. Legitimate threats in the path will not be mitigated.
Interoperability: Reduce the monitoring level on the excluded processes, in addition to suppressing alerts.
More Info: This exclusion stops the Agent from injecting the Agent DLL to processes in the path. This reduces Agent interaction with these processes. The Agent continues to monitor and use kernel events.
Usage example: To solve interoperability issues related to the Agent code injection into other applications.
Caution: This lowers protection as it reduces events that the Agent monitors. Endpoint events, previously known as Deep Visibility Events, and behavioral indicators that depend on in-process monitoring will not be collected
Interoperability - extended: Reduce the monitoring level on the excluded processes and their child-processes (Same as the Interoperability option but includes child-processes.)
Usage example: To solve interoperability issues related to the Agent code injection into other applications, when the Interoperability option did not resolve the issue.
Performance Focus: Disable monitoring of the excluded processes, in addition to suppressing alerts.
More info: It stops the Agent from injecting the Agent DLL to processes in the path and stops monitoring most kernel events. Agents do not use OS events that are generated by or for the excluded process.
Usage example: To solve issues where a specific application generates many events (such as file activity, registry, process, memory ) and causes a high CPU utilization on the endpoint, due to Agent event analysis.
Caution: This lowers protection significantly as the Agent does not monitor the excluded processes.
Deep Visibility™: Events, and behavioral indicators for the excluded processes will not be collected.
Performance Focus - extended: Disable monitoring of the excluded processes and their child-processes. (Same as the Performance Focus but includes child processes.)
Usage example: To solve issues where a specific application generates many events due to Agent event analysis, when the Performance Focus option did not resolve the issue.
Deep Visibility™: Events, and behavioral indicators for the excluded processes will not be collected.
Agent Support for each Path Exclusion Mode
Agent Support for Exclusions
Exclusions Mode | Windows 2.8 + and macOS 4.1 - 4.3 | macOS 4.6 + | Linux (all) |
Suppress Alerts | Yes | Yes | Yes |
Suppress Alerts - Static AI engine | Yes | Yes | Yes |
Suppress Alerts- Dynamic AI engine | Yes | Yes | Yes |
Suppress Alerts - Application Control | No | No | Yes (from 22.2.) |
Interoperability | Yes | No | No |
Interoperability - extended | Yes | No | No |
Performance Focus | Yes | Yes | Yes (from 4.0) |
Performance Focus - extended | Yes | Yes | Yes (from 4.0)* |
* See Note in Performance Focus - extended details.
Procedure: Create a Path Exclusion Manually from Guardz
To create a file or path exclusion:
Go to Security Controls> Endpoint Security > SentinelOne Exclusions
Click the "+" button to add an exclusion
Choose the Exclusion Type and select Path.
In Path, enter the full path to the folder.
Note: See all rules for creating path exclusions in Best Practices for Exclusions.
After you enter a path, you see As File or As Folder below.
As File - Only the single file is excluded (default).
As Folder - The whole folder at the path is excluded.
Toggle between these options accordingly.
If you select As Folder, you can select Include Subfolders. This adds all the subfolders to the exclusion.
In OS Type, select the operating system for the exclusion.
Select the Exclusion Mode:
For most exclusions, keep Suppress Alerts selected. To resolve interoperability issues, you will usually require a different option.
Click All engines to set the Agent to suppress alerts from specified engines only.
If Linux is the OS, you can choose to suppress alerts only from the Application Control engine. This is supported with Linux Agents version 22.2+.
Optional: In Description, explain the reason for the exclusion.
Click Add.
For Interoperability and Performance Focus exclusions on Windows: To guarantee the exclusion is applied, restart the process or reboot the endpoint. For processes that cannot be restarted, such as System processes or Anti-virus processes, you must reboot endpoints to apply or remove an exclusion. For processes that can be restarted, such as a browser, you can restart the process to apply or remove an exclusion.
Best Practice: We recommend that you restart all affected endpoints to apply or remove an Interoperability or Performance Focus exclusion.