Help CenterThreatLocker allows you to specify certain processes that will be excluded from being monitored by ThreatLocker. Nothing will be blocked or logged in the Unified Audit if it is being run by the process set to be excluded. No ThreatLocker policies will take effect on processes set to be excluded. This should only be used in very specific circumstances, such as when a high number of logs are generated from a particular process, causing ThreatLocker to utilize more system resources than usual.
Note: It is important to note that the processes are excluded based on the path you specified, not the hash. Care must be taken when deciding to exclude a process from monitoring by ThreatLocker.
Setting Up an Excluded Process
Select the 'Devices' page using the left-hand menu. Then, navigate to the 'Computer Groups' page using the 'Groups' tab at the top right and select the computer group for which you would like to configure the excluded process. You can also create a new computer group by selecting the '+ Computer Group' button at the top left corner of the page.
In the 'Edit Computer Group' panel, find 'Excluded Processes' under the 'Computer Group Settings' section.
In the 'Process' text field, enter the specific process you want to exclude. Select the 'Exclusion Type' from the dropdown menu. The following options are available in this section:
- Execute
- Install
- Storage
- Network
Note: Only a full process name, regardless of the directory (i.e., python.exe, code.exe, etc.), will apply to 'Excluded Processes'. Wildcards cannot be used in this text field.
Using the '+' and '-' buttons that appear to the right of the 'Exclusion Type' dropdown, you can also add or delete excluded processes.
Once you have entered your information, select the 'Save' or 'Create' button at the bottom of the page.
Please reach out to a Cyber Hero if you are considering setting up an Excluded Process so they can ensure you are keeping your environment as secure as possible.