By excluding specific programs, web addresses, or file locations, you can improve Malwarebytes performance in your environment. For example, multiple security programs can interfere with each other and cause systems to slow down. You may also require exclusions if a trusted application or data file is flagged as a false positive. Excluded items are not scanned or checked by real-time protection. This article provides an overview of how exclusions work in OneView.
Excluding items in OneView prevents them from being scanned or checked by real-time protection. On the left navigation menu, go to Configure > Exclusions to access exclusions.
The Exclusions page shows a list of your existing exclusions, details of each, and a drop-down menu to edit or delete the exclusion. In the upper-right, click Search exclusions to display a search bar.
There is an additional option in the upper right of the screen that allows you to Exclude GPO PUMs for new and existing sites. For more information, see Group Policy registry keys detected as PUMs in OneView
Exclusions
You may choose to apply exclusions to all endpoints globally, a single site, or one or more policies. If applying to specific policies or sites, only the assigned endpoints use this exclusion. When creating or editing an exclusion, simply select the endpoints you want the exclusion to apply to.
The Apply to column indicates which exclusion is applied to Global (all endpoints), Sites, or a Policy. The Apply to specific column displays the site name and number of policies, or displays All when all endpoints or policies are applied. If the exclusion applies to multiple policies, click on the number to display policies applied with the exclusion.
Exclusion Types
You can add several types of exclusions to meet your needs. When you add an exclusion, it is applied to appropriate protection layers based on the Exclusion Type. Not all exclusion types can be applied to all layers. See the Support Protection Layers column in the tables below for more details.
Some exclusions support wildcards, as listed here:
- Asterisk (*) - Matches any number of any characters.
- Double Asterix (**) - Matches multiple sub-folders.
- Question mark (?) - Matches any single character.
TIP - Add each exclusion as a separate entry.
These tables provide examples for each exclusion type:
Windows
| Exclusion Type | Supported Protection Layers | Example(s) |
|---|---|---|
| Command Line | Suspicious Activity |
test.exe /switch |
|
Command Line with Wildcard |
Suspicious Activity |
test?.bat |
| File by Path |
Malware Protection Ransomware Protection Suspicious Activity |
C:\Windows\Foo\Bar.exe |
| Folder by Path |
Malware Protection Ransomware Protection Suspicious Activity |
C:\Windows\temp\ |
| File/Folder with Wildcard |
Malware Protection Suspicious Activity |
When using wildcards with folder names, a single asterisk (*) denotes any single folder, while a double asterisk (**) denotes any number of folders. |
| File Extension | Malware Protection | doc |
| MD5 Hash |
Exploit Protection Suspicious Activity |
e4d909c290d0fb1ca068ffaddf22cbd0 9e107d9d372bb6826bd81d3542a419d6 |
| Registry Key |
Malware Protection Suspicious Activity |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Foobar Note: You must use the shorthand version of the HKey entries. |
| Registry Key with Wildcard† | Malware Protection |
HKU\*\Software\Microsoft\Windows\CurrentVersion\Policies\Associations|* Note: You must use the shorthand version of the HKey entries. |
| Web Monitoring | Website Protection | C:\Windows\Zoom\Zoom.exe |
| Website |
Website Protection Suspicious Activity |
www.malwarebytes.com |
| IP Address |
Website Protection Suspicious Activity Brute Force Protection |
234.213.143.154 |
† To exclude a group of registry values using wildcards, use the format <PATH><KEY>|<VALUE>*.
Mac
| Exclusion Type | Supported Protection Layers | Example(s) |
|---|---|---|
| File by Path |
Malware Protection Suspicious Activity |
/path/to/exclude |
| Folder by Path |
Malware Protection Suspicious Activity |
Using a tilde (~) indicates a path relative to the user's home directory. ~/Library/Application Support |
| File/Folder with Wildcard |
Malware Protection Suspicious Activity |
Using a single asterisk (*) wildcard denotes a single folder. ~/Library/* |
| MD5 Hash | Suspicious Activity | e4d909c290d0fb1ca068ffaddf22cbd0 9e107d9d372bb6826bd81d3542a419d6 |
Linux
| Exclusion Type | Supported Protection Layers | Example(s) |
|---|---|---|
| File by Path |
Malware Protection Suspicious Activity |
/usr/bin/apt-get |
| Folder by Path |
Malware Protection Suspicious Activity |
/usr/share/mblinux/ |
| File/Folder with Wildcard |
Malware Protection Suspicious Activity |
/usr/bin/apt* |
| MD5 Hash | Suspicious Activity | e4d909c290d0fb1ca068ffaddf22cbd0 9e107d9d372bb6826bd81d3542a419d6 |
Protection layers
When you add an exclusion, it is applied to appropriate protection layers based on the Exclusion Type. Not all exclusion types can be applied to all layers.
Use the Exclusion Applied To section to customize which layers the exclusion applies to. You may change which layers an exclusion applies to at any time.
- Exploit Protection: Behavior-based detection of vulnerabilities in common programs and the operating system. Only available for Windows endpoints.
- Malware Protection: Real-Time Protection using both signature and machine learning-based detections of malicious files.
- Ransomware Protection: Behavior-based detection of ransomware attacks. Only available for Windows Endpoints.
- Website Protection: Protection from malicious network traffic, including websites or direct connections. Only available for Windows Endpoints.
- Suspicious Activity: Protection from anomalous files and rollback of ransomware. Only available for endpoints using Endpoint Detection and Response.
- Brute Force Protection: Protects Windows endpoints from suspicious connections via remote devices.
Return to the OneView User Guide.