Cisco Secure Endpoint Exclusions - How do they work?

ACISAC · ‎08-02-2022

I've searched and read documentation and cannot get a clear answer.

I see these exclusions in Cisco Secure Endpoint:

Threat
Path
File Extension
Wildcard
Executable
Process:
- File Scan
- Malicious Activity
- System Process
- Behavioral Protection

When creating exclusions (see above type of exclusions):

Will creating a path exclusion, prevent any processes located under that same path exclusion from appearing in Device Trajectory panel?
Which type(s) of process exclusion(s) will prevent a process from appearing in the Device Trajectory panel?
Would it be redundant to have a path exclusion AND any combination of process exclusion(s) for a executable under the same path exclusion?

Thank you in advance.

Divya Jain · ‎08-16-2022

Hello,
Just to help you understand better, An exclusion set is a list of directories, file extensions, or threat names that you do not want the Secure Endpoint Connector to scan or convict. Exclusions are a necessity to ensure a balance of performance and security on a machine when endpoint protection such as Secure Endpoint is enabled.

Example : Lets say you are using Secure Endpoint and some Antivirus in your environment. Since you trust the antivirus Software, you can exclude that software to be scanned by cisco endpoint. So for this you can exlcude the directory where that software is located.

To create exclusions, you can use wildcards, directory etc.
Some reference documents for you : https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215418-configure-and-manage-exclusions-in-cisco.html

https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213681-best-practices-for-amp-for-endpoint-excl.html

I hope these links help.

You can also learn more about Endpoint Security through our live Ask the Experts (ATXs) session. Check out Cisco Endpoint Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.”

Please feel free to reach out to me if you have any sort of uncertainties.

Troja007 · ‎08-16-2022

Hello @ACISAC ,
let´s explain step by step. First, you might take a look at the File Scanning Sequence explained here. For any execute and write, Secure Endpoint does the whole Scanning Sequence.

Will creating a path exclusion, prevent any processes located under that same path exclusion from appearing in Device Trajectory panel?
Answer: Yes, if there is a match, we are stopping the whole file scanning sequence here, even hashing the file
Which type(s) of process exclusion(s) will prevent a process from appearing in the Device Trajectory panel?
Answer: Process File Scan
Would it be redundant to have a path exclusion AND any combination of process exclusion(s) for a executable under the same path exclusion?
Answer: Both settings will prevent hashing the file and sending telemetry inforamtion for backend processing. The difference is, if you exclude a path, the path with all the executables in the patch gets excluded. A process exclusion is much more granular and will only exclude a single process, but you will get all the information from other executables located in the same directory.

Finally, i would recommend to use exclusions only if necessary, just to provide as much as possible telemetry info for the backend engines and having us much as possible file/process information availble in the "Event Stream" for the Behavioral Protection Engine on the endpoint.

Greetings, Thorsten