Overview of exclusions in Malwarebytes Cloud Platform

Document created by bgoddard Employee on Oct 30, 2019Last modified by bgoddard Employee on Nov 13, 2019
Version 9Show Document
  • View in full screen mode

By excluding specific programs, web addresses, or file locations, you can improve Malwarebytes performance in your environment. For example, multiple security programs can interfere with each other and cause systems to slow down. You may also require exclusions if a trusted application or data file is flagged as a false positive. This article provides an overview of how exclusions work in Malwarebytes Cloud Platform.

 

Creating exclusions in Malwarebytes Cloud Platform helps provide you with the best performance. To access Exclusions, go to Settings > Exclusions.

 

 

The Exclusions screen contains a list of all exclusions across your endpoints and policies. Each exclusion has a switch next to it, and can be disabled if you need to temporarily allow an item that was excluded.

 

There is an additional toggle in the upper right of the screen that allows you to Exclude GPO PUMs. For more information on GPO PUMs, see Group Policy registry keys detected as PUMs in Endpoint Protection.

 

Policy Level Exclusions

You may choose to create exclusions globally or at a policy level. Policy level exclusions apply only to the policies chosen in the exclusion. When creating or editing an exclusion, simply select the policies you want the exclusion to apply to.

 

Use the drop-down menus at the top of the Exclusions screen to limit the number of exclusions displayed. You may filter exclusions by the following:

  • Display: Limits the number of on-screen results
  • Exclusion Type: Limits types of exclusions to a single type
  • Policies Included: Select which policies are affected by the exclusions you are searching for.

 

In the Policy Included column, mouse over the list icon to quickly show the policies affected by that exclusion. Click any of the displayed policies to jump to the Settings for that policy.

 

Exclusion Types

You can add several types of exclusions to meet your needs. Some exclusions support wildcards, as listed here:

  • Asterisk (*) - Matches any number of any character.
  • Question mark (?) - Matches any single character.

 

This table provides examples for each exclusion type:

Exclusion TypeProtection LayersExample(s)
File by PathMalware Protection
Ransomware Protection
C:\Windows\Foo\Bar.exe
Folder by PathMalware Protection
Ransomware Protection
C:\Windows\temp\
File/Folder with Wildcard†Malware Protection
Ransomware Protection

When using wildcards with folder names, a single asterisk (*) denotes any single folder, while a double asterisk (**) denotes any number of folders.

 

C:\Users\*\Documents\*
C:\Users\*\Desktop\test*.exe
C:\temp\test?.exe
C:\temp\*.exe

C:\Development*\**\Alterhostsfile.exe

File ExtensionMalware Protectiondoc
pdf
MD5 HashAnti-Exploite4d909c290d0fb1ca068ffaddf22cbd0
9e107d9d372bb6826bd81d3542a419d6
Registry KeyMalware ProtectionHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Foobar
Registry Key with WildcardMalware ProtectionHKU\*\Software\Microsoft\Windows\CurrentVersion\Policies\Associations|*
Web MonitoringWebsite ProtectionC:\Windows\Zoom\Zoom.exe
Website/IP AddressWebsite Protectionwww.malwarebytes.com
234.213.143.154
2001:4860:4860::8888

 

† Ransomware Protection exclusions do not support wildcards.
†† To exclude a group of registry values using wildcards, use the format <PATH><KEY>|<VALUE>*.

 

Protection layers

When you add an exclusion, it is applied to appropriate protection layers based on the Exclusion Type. Not all exclusion types can be applied to all layers.

 

Use the Exclusion Applied To section to customize which layers the exclusion applies to. You may change which layers an exclusion applies to at any time.

  • Exploit Protection: Behavior-based detection of vulnerabilities in common programs and the operating system. Only available for Windows endpoints.
  • Malware Protection: Real-Time Protection using both signature and machine learning-based detections of malicious files.
  • Ransomware Protection: Behavior-based detection of ransomware attacks. Only available for Windows Endpoints.
  • Website Protection: Protection from malicious network traffic, including websites or direct connections. Only available for Windows Endpoints.
  • Suspicious Activity: Protection from anomalous files and rollback of ransomware. Only available for Windows Endpoints using Endpoint Protection and Response.

 

See also

 

 

Return to the Malwarebytes Cloud Platform Administrator Guide 

Attachments

    Outcomes