Malwarebytes Breach Remediation Windows exclusion list tips

Document created by djacobson Employee on Dec 10, 2018Last modified by jyamada on Jan 23, 2019
Version 6Show Document
  • View in full screen mode

Malwarebytes Breach Remediation allows the exclusion of file extensions, registry keys, registry values, and vendor (the name which Malwarebytes uses to identify threats). Items excluded are enclosed in one or more XML files.

 

The example from the Breach Remediation Windows Administrator Guide lists each Type entry within one large Exclusion tag for sake of brevity. However, the example shown in the administrator guide may be confusing because each entry must have its own Exclusion, Type, and Path tags, even if the entry Type repeats. The following examples can be copy and pasted directly into the XML file that is used for the exclusion.

 

Example from the Malwarebytes Breach Remediation Windows Administrator Guide, including all open and close tags:

<?xml version="1.0" encoding="UTF-8" ?>
<ScanExclusions>
   <Exclusions>
      <Exclusion>
         <Type>folder</Type>
         <Path>c:\virus\a</Path>
      </Exclusion>
      <Exclusion>
         <Type>wildcard</Type>
         <Path>c:\virus\*trojan*</Path>
      </Exclusion>
      <Exclusion>
         <Type>file</Type>
         <Path>c:\virus\test.exe</Path>
      </Exclusion>
      <Exclusion>
         <Type>regkey</Type>
         <Path>HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\1394843d</Path>
      </Exclusion>
      <Exclusion>
         <Type>regval</Type>
         <Path>HKCU\SOFTWARE\MICROSOFT\WINDOWS\*\RUN|DESKBAR</Path>
      </Exclusion>
      <Exclusion>
         <Type>vendor</Type>
         <Path>MBAM.Test.Trojan</Path>
      </Exclusion>
      <Exclusion>
         <Type>ext</Type>
         <Path>mp3</Path>
      </Exclusion>
   </Exclusions>
</ScanExclusions>

 

 

Excluding Group Policy Objects using the <Type>regval tag:

<?xml version="1.0" encoding="UTF-8" ?>
<ScanExclusions>
     <Exclusions>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoStartMenuMorePrograms</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSetFolders</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoFind</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSMHelp</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoRun</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoViewContextMenu</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoToolbarCustomize</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoPropertiesMyComputer</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoDrives</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ForceActiveDesktopOn</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DisableRegistryTools</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispCPL</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispBackgroundPage</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispAppearancePage</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispScrSavPage</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|ConnectionsTab</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HomePage</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM|DisableCMD</Path>
          </Exclusion>
          <Exclusion>         
               <Type>regval</Type>
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoFolderOptions</Path>
          </Exclusion>
          <Exclusion>
               <Type>regval</Type>    
               <Path>HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DisableTaskMgr</Path>
          </Exclusion>
     </Exclusions>
</ScanExclusions>

 

Excluding Group Policy Objects using the <Type>vendor tag:

<?xml version="1.0" encoding="UTF-8" ?>
<ScanExclusions>
     <Exclusions>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.NoStartMenuMorePrograms</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.NoSetFolders</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.NoFind</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.NoSMHelp</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.NoRun</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.NoViewContextMenu</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.NoToolbarCustomize</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.NoPropertiesMyComputer</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.NoDrives</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.ForceActiveDesktopOn</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.DisableRegistryTools</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.NoDispCPL</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.NoDispBackgroundPage</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.NoDispAppearancePage</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.NoDispScrSavPage</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.ConnectionsTab</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.HomePage</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.DisableCMD</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.NoFolderOptions</Path>
          </Exclusion>
          <Exclusion>
               <Type>vendor</Type>
               <Path>PUM.Optional.DisableTaskMgr</Path>
          </Exclusion>
     </Exclusions>
</ScanExclusions>

 

 

Additional information

Attachments

    Outcomes