topic Re: Process Exclusion vs Path Exclusion — What is the correct choice in Endpoint Security

Process Exclusion vs Path Exclusion — What is the correct choice

chickenriceandbeans — Wed, 19 Nov 2025 12:55:33 GMT

Hi,

I’m dealing with a recurring false-positive event related to one of our internal service executables, and I’d like to clarify which exclusion type is considered best practice according to Cisco Secure Endpoint’s engine behavior.

We have an internal agent called AgentWorker.exe, located here:

C:\Program Files\CompanyAgent\Service\AgentWorker.exe

This executable periodically launches PowerShell in non-interactive mode with encoded command parameters.
This behavior is fully legitimate and part of the expected workflow.

In Secure Endpoint, the event shows details similar to:

Parent Process: AgentWorker.exe
Child Process: powershell.exe
Event Type: Process start / file scan
No threat name is involved (so it’s not a malware-based detection)

Process Start powershell.exe by SYSTEM
Arguments = C:\Windows\System32\MsiExec.exe -Embedding 19999999999874 E Global\MSI9999

We do not want to exclude PowerShell globally.
We also do not want to remove AgentWorker.exe entirely from MAP, BP, SPP, or File Scan engines.
The goal is only to prevent this single executable from being incorrectly scanned or blocked.

So I’d like to clarify the following:

1. In this scenario, what is the most appropriate exclusion type according to Cisco’s recommendations?

Should I use a:

a) Path Exclusion for:

C:\Program Files\CompanyAgent\Service\AgentWorker.exe

b) Process Exclusion, even though this would bypass multiple engines for the entire process?

2. Have there been any recent changes to the behavior of Path or Process exclusions?

I have reviewed Document ID 215418 – Configure and Manage Exclusions, but it’s still unclear how to handle this type of “file start + PowerShell child process” scenario in the most secure and correct way.

Any guidance from Cisco engineers or other users with similar setups would be highly appreciated.

Thanks!

Re: Process Exclusion vs Path Exclusion — What is the correct choice

Ken Stieers — Wed, 19 Nov 2025 14:37:31 GMT

What kind of detection is it? For some of the engines, you have to open a TAC case. Exploit prevention and I think Behavioral detections.

Re: Process Exclusion vs Path Exclusion — What is the correct choice

chickenriceandbeans — Mon, 24 Nov 2025 08:15:38 GMT

Hi, what I’m trying to say is this:
My goal is to whitelist a specific PowerShell prompt. When that prompt is triggered, I don’t want it to be seen as risky. For me it’s not a problem, so I want it to be allowed.

Re: Process Exclusion vs Path Exclusion — What is the correct choice

Roman Valenta — Mon, 24 Nov 2025 13:24:18 GMT

First of all what would be helpful to understand here is what type of event your see in the console. Meaning would be nice to see picture of the event expanded with all the details to determine which engine is the one responsible for the detection.

Re: Process Exclusion vs Path Exclusion — What is the correct choice

chickenriceandbeans — Tue, 25 Nov 2025 07:22:44 GMT

Re: Process Exclusion vs Path Exclusion — What is the correct choice

Roman Valenta — Tue, 25 Nov 2025 15:32:52 GMT

Unfortunately I cant tell form that picture what engine is triggering this event. I would suggest to look in Device Trajectory and also you can some time tell from the first line of the event not expanded. By any chance did yours is triggered by Exploit Prevention like this example bellow ?