Malwarebytes Remediation for CrowdStrike allows you to exclude legitimate files, services, and known false positives. The fastest method to identify false positives is to run a diagnostic scan on a secure endpoint without removing any detections. Optionally, export your exclusions from CrowdStrike Falcon, and then convert them to JSON format usable by Malwarebytes Remediation for CrowdStrike.
Exclude List
Malwarebytes Remediation for CrowdStrike offers the following methods to exclude items from being scanned:
- Exclude List: This method allows you to exclude by File Extensions, File Names, Folder Paths, Registry Keys, Registry Values, and Vendor Names which Malwarebytes uses to identify threats.
- Items requiring exclusion may be enclosed in one or more JSON files.
- The JSON files can be specified as either local file paths or web URLs.
- For wildcards, use current Windows operating system standards:
- Wildcards can be used for file and folder paths.
- Wildcards can be used within registry keys for additional flexibility.
- We recommend verifying your JSON exclusion file(s) format. To verify, see JSON Formatter & Validator.
Exclusion example:
{
"exclusions" : [
{ "type" : "extension","path" : "dll" },
{ "type" : "file" ,"path" : "c:\\myprog\\test.exe"},
{ "type" : "folder" ,"path" : "c:\\myprog\\abc" },
{ "type" : "regkey","path" : "HKLM\\SYSTEM\\CURRENTCONTROLSET\\SERVICES\\1394843d" },
{ "type" : "regval","path" : "HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN|DESKBAR" },
{ "type" : "wildcard","path" : "**myprog*" },
{ "type" : "vendor","path" : "Trojan.MBAMTest" }
{ "type" : "hash","path" : "3BAA69B0C31CA2CCFB30D75A83B060AA"
],
"schemaVersion" : 1
}
Create Custom rules
Malwarebytes Remediation for CrowdStrike can be configured to target threats that may otherwise be undetected. Using custom rules formatted in JSON you can instruct Remediation for CrowdStrike to search for Indicators of Compromise (IOC).
For information on Indicators of Compromise, see:
While IOC Editor allows you to create a range of rules for identifying malware, there are five (5) specific rules that apply to Remediation for CrowdStrike. Provided below are examples for each rule type that shows the format and where where to apply them.
Custom Hash rule
The Custom Hash rule is identified using a files MD5 hash value.
Exclusion example:
{
"condition" : "is",
"md5" : "3BAA69B0C31CA2CCFB30D75A83B060AA",
"name" : "TestThreat.CustomHashRule",
"type" : "hash"
}
- Criteria: Condition value = “is”
- When Used: Full scan, Hyper scan, Threat scan, Path scan
Custom File rule
The Custom File rule is identified using its file name.
Exclusion example:
{
"condition" : "is",
"fileName" : "ThreatFile.exe",
"name" : "TestThreat.CustomFileRule.Is",
"type" : "file"
}
{
"condition" : "contains",
"fileName" : "ThreatFile",
"name" : "TestThreat.CustomFileRule.Contains",
"type" : "file"
}
- Criteria: Condition value = “is” or “contains”. When the “is” condition is used, the filename does not include the directory path. The filename is case-insensitive.
- When Used: Full scan, Hyper scan, Threat scan, Path scan
Custom Folder rule
The Custom Folder rule is identified using the folder path.
Exclusion example:
{
"condition" : "is",
"folderPath" : "C:\\abc\\ThreatFolder",
"name" : "TestThreat.CustomFolderRule.Is",
"type" : "folder"
}
{
"condition" : "contains",
"folderPath" : "ThreatFolder",
"name" : "TestThreat.CustomFolderRule.Contains",
"type" : "folder"
}
-
Criteria: Condition value = “is” or “contains”. When the “is” condition is used, the folder path is the absolute path of the folder. The folder path is case-insensitive.
-
When Used: Full scan, Hyper scan, Threat scan, Path scan
Custom Registry Key rule
The Custom Registry Key rule is identified using a specific registry key.
Exclusion example:
{
"condition" : "is",
"keyPath" : "HKLM\\abc\\ThreatRegKey",
"name" : "TestThreat.CustomRegKeyRule",
"type" : "regkey"
}
-
Criteria: Condition value = “is”. The registry key is case-insensitive.
-
When Used: Full scan, Threat scan
Custom Registry Value rule
The Custom Registry Value rule is identified using a specific registry value. It requires three indicator items to exclude.
Exclusion example:
{
"condition" : "is",
"keyPath" : "HKLM\\abc\\ThreatRegKey",
"name" : "TestThreat.CustomRegValueRule",
"type" : "regvalue",
"valueData" : "sampledata",
"valueName" : "name1"
}
- Criteria: Condition value = “is”. All indicator values are case-insensitive.
- When Used: Full scan, Threat scan
GPO and Trend Micro custom exclusions
Malwarebytes Remediation for CrowdStrike can exclude GPO and anti-virus solutions from being scanned. See the attachments at the bottom of the article for the most common exclusions for GPO and Trend Micro.
Return to the Malwarebytes Remediation for CrowdStrike integration guide.