Help CenterThreatLocker provides the ability to specify certain processes that will be excluded from monitoring by ThreatLocker. Nothing will be blocked or logged in the Unified Audit if it is being run by the process set to be excluded. No ThreatLocker policies will take effect on processes that have been set to be excluded. This should only be used in very specific circumstances, such as if there is a high number of logs being generated from a certain process, causing ThreatLocker to use more system resources than normal.
Note: It is important to note that the processes are excluded based on the path you specified, not the hash. Care must be taken when deciding to exclude a process from monitoring by ThreatLocker.
Setting Up an Excluded Process
Select the 'Devices' page using the left-hand menu. Navigate to the Computer Groups page using the 'Groups' tab on the top right side of the page and select the Computer Group that you would like to configure the excluded process for.
In the 'Edit Computer Group' panel, find 'Excluded Processes' under the 'Computer Group Settings' section.
In the 'Process' text field, enter the specific process you'd like to exclude. Select the 'Exclusion Type' from the dropdown menu. Click the + icon to add the exclusion.
Note: Only a full process name, regardless of the directory (i.e., python.exe, code.exe, etc.), will apply to Excluded Processes. Wildcards are not usable in this text field.
If you'd like to remove an exclusion, select the '-' icon.
Select 'Save' to save your changes.
Please reach out to a Cyber Hero if you are considering setting up an Excluded Process so they can be sure you are keeping your environment as secure as possible.