To maximize security, try to resolve interoperability or performance issues with the least severe option. Try the exclusion modes in the sequence shown. Use the Performance Focus options only if the Interoperability options do not resolve the issues.
Suppress Alerts (default Path exclusion): Do not display alerts or mitigate detections on the excluded processes.
If the root of a threat group is suppressed, events of the entire Storyline™ (including sub-processes) for the child processes are also suppressed and will not show alerts in the Console.
Usage example: Stop false positives from a specific file or process.
Caution: Make sure the detection that the exclusion is based on is a false positive. Legitimate threats in the path will not be mitigated.
Interoperability: Reduce the monitoring level on the excluded processes, in addition to suppressing alerts.
More Info: This exclusion stops the Agent from injecting the Agent DLL to processes in the path. This reduces Agent interaction with these processes. The Agent continues to monitor and use kernel events.
Usage example: To solve interoperability issues related to the Agent code injection into other applications.
Caution: This lowers protection as it reduces events that the Agent monitors. Endpoint events, previously known as Deep Visibility Events, and behavioral indicators that depend on in-process monitoring will not be collected
Interoperability - extended: Reduce the monitoring level on the excluded processes and their child-processes (Same as the Interoperability option but includes child-processes.)
Usage example: To solve interoperability issues related to the Agent code injection into other applications, when the Interoperability option did not resolve the issue.
Performance Focus: Disable monitoring of the excluded processes, in addition to suppressing alerts.
More info: It stops the Agent from injecting the Agent DLL to processes in the path and stops monitoring most kernel events. Agents do not use OS events that are generated by or for the excluded process.
Usage example: To solve issues where a specific application generates many events (such as file activity, registry, process, memory ) and causes a high CPU utilization on the endpoint, due to Agent event analysis.
Caution: This lowers protection significantly as the Agent does not monitor the excluded processes.
Deep Visibility™: Events, and behavioral indicators for the excluded processes will not be collected.
Performance Focus - extended: Disable monitoring of the excluded processes and their child-processes. (Same as the Performance Focus but includes child processes.)
Usage example: To solve issues where a specific application generates many events due to Agent event analysis, when the Performance Focus option did not resolve the issue.
Deep Visibility™: Events, and behavioral indicators for the excluded processes will not be collected.
Agent Support for Exclusions
Exclusions Mode | Windows 2.8 + and macOS 4.1 - 4.3 | macOS 4.6 + | Linux (all) |
Suppress Alerts | Yes | Yes | Yes |
Suppress Alerts - Static AI engine | Yes | Yes | Yes |
Suppress Alerts- Dynamic AI engine | Yes | Yes | Yes |
Suppress Alerts - Application Control | No | No | Yes (from 22.2.) |
Interoperability | Yes | No | No |
Interoperability - extended | Yes | No | No |
Performance Focus | Yes | Yes | Yes (from 4.0) |
Performance Focus - extended | Yes | Yes | Yes (from 4.0)* |