What is it all about?
SentinelOne’s Exclusions feature lets admins prevent specific files, folders, processes, or paths from being scanned or acted on by the agent, helpful for avoiding false positives or performance impact on trusted applications.
Exclusions can be scoped and should be used carefully, since excluding the wrong item can reduce protection by allowing threats in that area to evade detection.
Exclusions via Guardz - Assumptions
Exclusions can be defined globally or per customer. These exclusions will apply for all devices under the selected customer
Exclusions can be configured and managed via the SentinelOne section within the Security Controls tab
Once configured, exclusions can be edited through the SentinelOne console, which serves as the primary source of truth. Updates made there are automatically reflected in Guardz to ensure consistency. Alternatively, admins may also be preferable to create a new exclusion and delete the previous one directly from Guardz.
When moving agents between two separate SentinelOne organizations, exclusions are not automatically transferred. To maintain operational consistency, it is recommended to manually add the relevant exclusions in the target organization after the migration is completed.
How to Setup Exclusions via Guardz?
1. Path Exclusion
Go to Security Controls> Endpoint Security > SentinelOne Exclusions
Click the "+" button to add an exclusion
Choose the Exclusion Type and select Path
In Path, enter the full path to the folder
Note: See all rules for creating path exclusions in Best Practices for Exclusions.
After you enter a path, you see As File or As Folder below
As File - Only the single file is excluded (default)
As Folder - The whole folder at the path is excluded
Toggle between these options accordingly
If you select As Folder, you can select Include Subfolders. This adds all the subfolders to the exclusion
In OS Type, select the operating system for the exclusion
Select the Exclusion Mode:
For most exclusions, keep Suppress Alerts selected
To resolve interoperability issues, you will usually require a different option
See more information here
Click All engines to set the Agent to suppress alerts from specified engines only
If Linux is the OS, you can choose to suppress alerts only from the Application Control engine.
This is supported with Linux Agents version 22.2+.
Optional: In Description, explain the reason for the exclusion
Click Add
For Interoperability and Performance Focus exclusions on Windows:
To guarantee the exclusion is applied, restart the process or reboot the endpoint.
For processes that cannot be restarted, such as System processes or Anti-virus processes, you must reboot endpoints to apply or remove an exclusion. For processes that can be restarted, such as a browser, you can restart the process to apply or remove an exclusion
We recommend that you restart all affected endpoints to apply or remove an Interoperability or Performance Focus exclusion
2. Hash Exclusion
Go to Security Controls> Endpoint Security > SentinelOne Exclusions
Click the "+" button to add an exclusion
Choose the Exclusion Type and select Hash
In OS Type, select the operating system for the exclusion
Optional: In Description, enter a phrase to make it easy for you and other users to identify this exclusion and understand why it is needed
Click Add
3. File Exclusion
Go to Security Controls> Endpoint Security > SentinelOne Exclusions
Click the "+" button to add an exclusion
Choose the Exclusion Type and select File Type
In File Type, add one file type extension
Wildcards are supported. For example, use PPT for PowerPoint files. PP* will exclude PPT, PPTX, PPTM, PPSX, PPSM, PPS, PPAM, PPA files.
In OS Type, select the operating system for the exclusion
Optional: In Description, enter a phrase to make it easy for you and other users to identify this exclusion and understand why it is needed
Click Add
4. Certificate Signer Identity Exclusion
Go to Security Controls> Endpoint Security > SentinelOne Exclusions
Click the "+" button to add an exclusion
Choose the Exclusion Type and select Certificate
In a different window, go to the Issues page and open the relevant issue details
Copy the Signer Identity value from the issue details
Paste in the Signer Identity field in the exclusion
Wildcards are not supported
In OS Type, select the operating system for the exclusion.
Optional: In Description, enter a phrase to make it easy for you and other users to identify this exclusion and understand why it is needed
Click Add
5. Browser Exclusion
Go to Security Controls> Endpoint Security > SentinelOne Exclusions
Click the "+" button to add an exclusion
Choose the Exclusion Type and select Browser
In Browser, select an internet browser
In OS Type, select the operating system for the exclusion
Optional: In Description, enter a phrase to make it easy for you and other users to identify this exclusion and understand why it is needed
Click Add
What should NOT be excluded?
All exclusions should be used with caution, as they reduce visibility in your environment. While exclusions are generally not recommended, some may be needed to address false positives or interoperability issues.
The list below includes items you must not exclude in SentinelOne, as doing so increases security risk. This is not a complete list of all exclusions that are not recommended. If you need help with a false positive or interoperability issue, please open a Support ticket.
NOT Recommended Exclusions for Windows
Starting in Management version S-24.2.1: If the path for an exclusion is one of these system variables, it will show as Not Recommended and have a red exclamation point in the UI:
%systemroot%, %ProgramFiles(x86)%, %ProgramFiles%, %SystemDrive%, %Windir%, %ProgramW6432%If the path for an exclusion starts with one of these system variables but has more specific folders in the path, it will not show as Not Recommended.
For example,
%ProgramFiles%\foldernamewill not be marked as Not Recommended.
Signer identity exclusion for all Microsoft applications
Signer identity exclusion for all Adobe applications
Exclusions for a browser path
Drive letter:\
Drive letter:\*.*
Drive letter:\*\
Drive letter:\Windows\spool\
C:\*\Java\
C:\cygwin\
C:\cygwin64\
C:\Java\
C:\jboss-eap-6.4\
C:\Program Files (x86)\
C:\Program Files (x86)\Adobe\
C:\Program Files (x86)\Google\
C:\Program Files (x86)\Google\Chrome\
C:\Program Files (x86)\Internet Explorer\
C:\Program Files (x86)\Microsoft\Edge\
C:\Program Files (x86)\Java\
C:\Program Files (x86)\Java\jre version number\
C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2launcher.exe
C:\Program Files (x86)\Java\jre6\bin\
C:\Program Files (x86)\Microsoft Office\
C:\Program Files (x86)\Microsoft Office\Office version number\
C:\Program Files (x86)\Microsoft Office\root\Office16\
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.exe
C:\Program Files(x86)\Java\
C:\Program Files\
C:\Program Files\Adobe\
C:\Program Files\Adobe\Acrobat Reader DC\
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files\cygwin\
C:\Program Files\cygwin64\
C:\Program Files\Git\perl.exe
C:\Program Files\Git\usr\bin\perl.exe
C:\Program Files\Internet Explorer\
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\
C:\Program Files\Java\*\bin\javac.exe
C:\Program Files\Microsoft Office\Office16\
C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
C:\Program Files\PowerShell\<version>\pwsh.exe
C:\Program Files\Tripwire\TE\Agent\jre\bin\java.exe
C:\Tomcat7\
C:\tomcat7_2\bin\tomcat7.exe
C:\tomcat7.0\
C:\tomcat7\bin\tomcat7.exe
C:\Users\*\Cygwin\Bin\
C:\Windows\
C:\Windows\*\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\explorer.exe\
C:\Windows\py.exe
C:\Windows\setup.exe
C:\Windows\system32\
C:\Windows\System32\smss.exe
C:\Windows\system32\conhost.exe
C:\windows\system32\consent.exe
C:\Windows\System32\cscript.exe
C:\Windows\system32\csrss.exe
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\explorer.exe
C:\Windows\System32\LogonUI.exe
C:\Windows\System32\lsalso.exe
C:\WINDOWS\system32\lsass.exe
C:\Windows\System32\lsm.exe
C:\windows\system32\mmc.exe
C:\Windows\System32\netsh.exe
C:\Windows\System32\Ntoskrnl.exe
C:\Windows\System32\rundll32.exe
C:\windows\system32\services.exe
C:\Windows\System32\sihost.exe
C:\Windows\system32\smss.exe
C:\Windows\System32\snmp.exe
C:\Windows\System32\splwow64.exe
C:\Windows\System32\Spool\
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\sysvol\
C:\Windows\System32\taskeng.exe
C:\Windows\System32\taskhostex.exe
C:\Windows\System32\Taskmgr.exe
C:\Windows\system32\userinit.exe
C:\Windows\System32\vbscript.dll
C:\Windows\system32\vssvc.exe
C:\Windows\System32\WBEM\
C:\Windows\System32\wbem\WmiApSrv.exe
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\System32\WindowsPowerShell\
C:\Windows\System32\WindowsPowerShell\v1.0\
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
C:\Windows\System32\wininit.exe
C:\Windows\system32\winlogon.exe
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
C:\Windows\SYSVOL\
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\wbem\
C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
C:\Windows\Temp\
C:\Windows\winexesvc.exe
acrord32.exe
java.exe
javaC.exe
javaW.exe
JAVAWS.exe
LogonUI.exe
taskhostw.exe
vssadmin.exe
_mprosrv.exe
*.dll
*.exe
*.pdf
*\bin\java.exe
\adobe\
\Device\HarddiskVolume*\
\ProgramData\Kaseya\
\Program Files (x86)\Kaseya\
\Program Files\Kaseya\
\Windows\Temp\Kaseya\
*agent.exe
*agentmon.exe
NOT Recommended Exclusions for Linux
/bin/
/sbin/
/proc/
/run/
/sys/
/usr/bin/
/usr/sbin/
/usr/bin/pwsh
/usr/local/bin/pwsh
/var/
/var/log (If necessary, you can make an exclusion for the directory of a specific application in /var/log/.)
/tmp
/opt/sentinelone
*/pythonversion number
*/ruby
*\*apache-maven*\
Not Recommended Exclusions for macOS
/
**/
*?
*?/
/*?
/*?/
/**
/usr/local/bin/pwsh