Skip to main content
All CollectionsSentinelOne & GuardzSentinelOne Exclusions
Best practices for SentinelOne Exclusions

Best practices for SentinelOne Exclusions

Updated over a month ago

This article is based on SentinelOne community documentation last updated on Jan 23 2025

When you make a path exclusion for suppression or interoperability, we highly recommend that you add the exclusion to the smallest relevant scope of endpoints - a specific group. For example, do not add exclusions to the default policy of the default group. Create a group of endpoints that use the application to exclude.

See also: NOT Recommended Exclusions.

These rules apply to path (file and folder) exclusions for all versions:

  • You cannot put more than one exclusion path in one exclusion. AND, OR are not supported in exclusions.

  • If you can exclude a hash, it is safest. Know that it will exclude only the specific version of a process and not all processes of this name.

  • If you can exclude specific files rather than a path, that is safer. If an exploit inserts malware to an excluded path, we cannot protect the endpoints.

  • The exclusion modes show from the highest level of security to the least secure. Use the most secure exclusion mode that resolves your issue.

  • Exclusions for Windows Agents version 4.6+ can include non-customizable environment variables in Path exclusions. See Exclusion rules for Windows below.

    For all other Agents, environment variables are not supported. For example: Change: %appdata% To: C:\Users\Bob\AppData\Roaming\

    Or use the * wildcard to match all users: C:\Users\*\AppData\Roaming\

  • Regular expressions are not supported.

Exclusion rules for Windows

  • Exclusions for Windows are NOT case sensitive.

  • The path can start with the drive letter. If the drive is not included, the exclusion applies to all drives. For example:

    • C:\calc.exe excludes CALC on the root of the C drive.

    • calc.exe excludes CALC on all directories and drives.

    • You can use \Device\HarddiskVolume*\ to refer to the root disk drive on any drive letter.

  • Important:

    • If a wildcard is used with harddiskvolume, you may exclude more devices than you intended.

      • Example: You want to exclude \Device\HarddiskVolume0\Test\ you create this exclusion: \Device\HarddiskVolume*\Test\.

      • Now these paths are also excluded because of the wildcard:

        • \Device\HarddiskVolume8\software\test\

        • \Device\HarddiskVolume12\engineering\study\test\

  • DO NOT USE a wildcard as the drive directory ( *: or ?: ). The syntax is not valid.

    • For example, do NOT use *:\Program Files or ?:\Program Files in an exclusion path. Instead, use *\Program Files to exclude Program Files on all drives.

    • You CAN use the wildcard * to refer to any character or characters. It can also be 0 characters. The metacharacter ? can refer to exactly one character that is NOT a drive letter.

      • Examples with wildcard * to refer to any character or characters:

        c*c.exe excludes files that start with “c” and end with “c.exe” on all directories and drives. This includes CALC.EXE, CAMC.EXE, CHARLIE.DOC.EXE

        Example to exclude the Archives folder in a nested directory: C:\*\Archives\

        Example to exclude Go2Meeting for all users: C:\Users\*\AppData\Local\GoToMeeting\*\g2mlauncher.exe

      • Example with metacharacter ? to refer to one character:

        You CAN use: C:\test?\ to exclude C:\test1\ and C:\testf\.

        DO NOT USE ? as the drive letter. For example, do NOT use ?:\test1\ in an exclusion path.

  • Exclusions for Windows Agents version 4.6+ can include non-customizable environment variables in Path exclusions. Environment variables are translated in the context of a system and not a specific user. Therefore, environment variables that are based on users are not supported.

  • Supported environment variables: %ProgramFiles%, %ProgramFiles(x86)%, %ProgramW6432%, %SystemDrive%, %Windir%, %SystemRoot%, %ProgramData%, %Comspec%, %HomeDrive%, %CommonProgramFiles%, %CommonProgramFiles(x86)%, %AllUsersProfile%, %Public%.

    • For example: %ProgramFiles(x86)%\Citrix\ICA Client\

      All other environment variables are NOT supported.

      %Userprofile% is NOT supported.

  • For Interoperability and Performance Focus exclusions: For processes that cannot be restarted, such as System processes or Anti-virus processes, you must reboot endpoints to apply or remove an exclusion. For processes that can be restarted, such as a browser, you can restart the process to apply or remove an exclusion.

    • Best Practice: We recommend that you restart all affected endpoints to apply or remove an Interoperability or Performance Focus exclusion.

  • If you make an exclusion for an AppStacked application or snapvolume, use the folder SVROOT for the mount.

    • For example: Change: C:\Program Files (x86)\Click\check.exe To: *\SVROOT\Program Files (x86)\Click\check.exe to exclude C:\snapvolumes\{GUID}\SVROOT\Program Files (x86)\Click\check.exe

Known and resolved issues:

  • WIN-50217: After upgrading the SentinelOne Windows Agent to version 23.4 SP1, Citrix PVS Shell servers might freeze on heavy loaded memory scenarios.

    • To work around this issue with Windows Agent version 23.4 SP1, add this Policy Override:

      { "enableYaraMemoryScanner": false, "enableCryptoMinerMemoryScanner": false }

    • This issue is fixed in Agent version 23.4.SP2. We recommend you upgrade to this version.

  • WIN-50404, WIN-50443: In rare instances on Citrix PVS shell servers, lsm.dll attempts to terminate all processes in the session, throws an unhandled exception, and causes the Operating System to crash.

    • To work around this issue, exclude svchost.exe from the SentinelOne Agent UnhandledExceptionFilter hook. Add this Policy Override configuration:

      { "hooksExclusion": { "hooksExclusionVector": [ { "exclusions": [ "UnhandledExceptionFilter" ], "pattern": "*\\svchost.exe" } ] } }

Exclusion rules for Linux and K8s:

  • Exclusions for Linux and K8s are case sensitive.

  • The path must be absolute: start with a forward slash ( / - ASCII char 47).

  • The path must not have a space in the start or end.

  • If you select Include Subfolders, the path must end with a forward slash.

  • The * wildcard is supported in path exclusions.

    • Example: /usr/*/bin

      • Will match:

        /usr/a/bin

        /usr/a/b/bin

        /usr/a/b/c/bin

      • Will not match: /usr/bin

Exclusion rules for macOS:

  • Exclusions for macOS are case sensitive.

  • The path must start with a forward slash ( / - ASCII char 47). It cannot start with a space or wildcard.

  • These wildcards and metacharacters are supported in path exclusions:

    • * - Represents 0 or more characters for a single folder or file name in the path. Example: /a/b/*/d

      • Will match /a/b/c/d and /a/b/e/d

      • Will not match /a/b/c/e/d

    • *? - Represents 0 or more characters on multiple folders but still requires an exact match for what comes afterwards in the path. Example: /a/b/c/*?/my_file_folder/file.docx

      • Will match: /a/b/c/d/e/f/any_number_of_folders/my_file_folder/file.docx

      • Will not match: /a/b/c/d/e/f/file.docx because the name file.docx does not match my_file_folder

    • ? - Represents one character in a path. Example: /a/b/?/d

      • Will match: /a/b/c/d

      • Will not match: /a/b/ccc/d

Related Articles
Creating a Path Exclusion for SentinelOne
Creating a Hash Exclusion for SentinelOne
Creating a File Type Exclusion for SentinelOne
Creating a Certificate Signer Identity Exclusion for SentinelOne
NOT Recommended Exclusions for SentinelOne
Did this answer your question?