Skip to main content

Additional Notes for Exclusion Configuration via SentinelOne Console

Updated this week

1. Path Exclusion

Use default Path exclusions to suppress false positive alerts. When you exclude files or folders with default path exclusions, Agents monitor the files and processes but do not show alerts in the Console and do not mitigate detections. This also applies to detections in threat groups whose root process is in the excluded path or file.

  • When you create an exclusion from a detection and select File path, this is the type of exclusion created.

  • By default, Suppress Alert exclusions apply to alerts from all engines. You can set the Agent to suppress alerts from specified engines only:

    • Static AI - Suppress alerts from the Deep File Inspection engine.

    • Dynamic AI - Suppress alerts raised by Behavioral AI engines.

    • All engines (default) - Suppress all alerts.

Caution: Make sure the detection that the exclusion is based on is a false positive. Legitimate threats in the path will not be mitigated.

Interoperability and Performance Focus Exclusions

Interoperability or Performance Focus path exclusions are sometimes necessary to resolve issues with specific files or processes. With these exclusions, Agents reduce monitoring and mitigation of the excluded items.

Interoperability or Performance Focus exclusions have more risk than Suppress Alerts exclusions because all activities that start from or use the excluded item are not fully visible to SentinelOne Agents. This can affect mitigation if an excluded item is part of a malicious execution.

For Interoperability and Performance Focus exclusions on Windows : To guarantee the exclusion is applied, restart the process or reboot the endpoint. For processes that cannot be restarted, such as System processes or Anti-virus processes, you must reboot endpoints to apply or remove an exclusion. For processes that can be restarted, such as a browser, you can restart the process to apply or remove an exclusion.

2. Hash Exclusion

Exclude a file based on its SHA-1 hash and /or its SHA-256 hash.

  • With this exclusion type Agents suppress (do not create) alerts and do not mitigate detections. Agents monitor the files and processes.

  • SHA-256 support

    • SHA-256 hash signatures are supported by default from version S-25.1.1.

    • SHA-256 hash enforcement is supported on Windows and Linux Agents 24.2 and later, and macOS Agents 24.3 and later.

3. File Exclusion

You can exclude files of a given type from automatic mitigation.

  • With this exclusion type Agents do not create alerts and do not mitigate detections. Agents monitor the files and processes.

  • This exclusion type is supported for Windows Agents.

4. Certificate Exclusion

You can exclude files and software that are signed by a trusted source, with a certificate that is verified by the endpoint OS.

  • Agents monitor events associated with the certificate signer but do not create alerts and do not mitigate the signed items.

  • The Agent compares the certificate publisher name to the exclusion if the certificate is verified, where verified means the certificate chains to a trusted root in the endpoint's system Certificate Store.

  • For example, if you have an in-house application that you want to exclude, you can create a digital signature for it, and then make an exclusion for that Certificate Signer ID.

This exclusion type is supported for Windows and macOS Agents.

  • Windows - The certificate exclusion suppresses alerts. Agents monitor events associated with the certificate signer but do not create alerts and do not mitigate the signed items.

  • macOS - The certificate exclusion is a performance focus exclusion. It disables monitoring of the excluded processes, in addition to suppressing alerts.

Please note:

  • Be careful! If you create incorrect exclusions, you can open your environment to malware.

  • Do NOT create Signer Identity exclusions for all Microsoft or Adobe applications. This will significantly decrease your organization's security.

  • If you are getting false alerts for a specific application, contact Technical Support to find a narrower exclusion to resolve the issue.

5. Browser Exclusion

Threats that come from a browser show as Exploit attempts in the Management Console. If an end user browses to a site that hosts web exploits, which can introduce malware into your environment, the Agent detects a web exploit. It mitigates the browser session based on the policy and shows the threat in the system tray and Management Console.

  • With this exclusion type Agents do not create alerts and do not mitigate detections. Agents monitor the files and processes.

  • In rare cases, to gain use of the browser, you can exclude the browser from active scanning.

  • This is supported for Windows Agents.

Caution: This can leave your system vulnerable to web exploits.

How to configure an exclusion via SentinelOne Console - An Example

The instructions below demonstrate how to manually create a path exclusion using the console:

  1. At the top left of the Console, click the arrow to open the Scopes panel and select a scope.

  2. In the Sentinels toolbar, click Exclusions.

  3. Click New Exclusion and select Create Exclusion.

    The New Exclusion window opens.

  4. In Exclusion Type, select Path.

  5. In OS, select the operating system for the exclusion.

  6. In Path, enter the full path to the folder.

    Note: See all rules for creating path exclusions in Best Practices for Exclusions.

  7. After you enter a path, you see As File or As Folder next to the path.

    As File - Only the single file is excluded (default).

    As Folder - The whole folder at the path is excluded.

    Click Change to switch between them.

  8. If you select As Folder, you can select Include Subfolders. This adds all the subfolders to the exclusion.

  9. If Binary Vault is available in the scope of the exclusion, the Exclusion Function options show. Make sure that Exclude path for alerts and mitigation is selected.

    Optional: You can also select Exclude path for Binary Vault to not upload files in the path to Binary Vault.

  10. Select the Exclusion Mode:

    • Optional: Click More Options. For most exclusions, keep Suppress Alerts selected. To resolve interoperability issues, you will usually require a different option.

    • Optional: Click All engines to set the Agent to suppress alerts from specified engines only.

      If Linux is the OS, you can choose to suppress alerts only from the Application Control engine. This is supported with Linux Agents version 22.2+

  11. Optional: In Description, explain the reason for the exclusion.

  12. Click Save.

  13. For Interoperability and Performance Focus exclusions on Windows : To guarantee the exclusion is applied, restart the process or reboot the endpoint. For processes that cannot be restarted, such as System processes or Anti-virus processes, you must reboot endpoints to apply or remove an exclusion. For processes that can be restarted, such as a browser, you can restart the process to apply or remove an exclusion. Best Practice: We recommend that you restart all affected endpoints to apply or remove an Interoperability or Performance Focus exclusion.

Related Articles
Control Your Defender Exclusions (Release Notes August 2024)
Path Exclusions: Best Practices for SentinelOne
Creating SentinelOne Exclusions for a Single Device or Group (via SentinelOne Console)
SentinelOne Exclusions Overview
Path Exclusion Modes in Detail
Did this answer your question?