Help CenterThreatLocker provides the ability to specify certain processes that will be excluded from monitoring by ThreatLocker. Nothing will be blocked or logged in the Unified Audit if it is being run by the process set to be excluded. No ThreatLocker policies will take effect on processes set to be excluded. This should only be used in very specific circumstances, such as if a high number of logs are generated from a certain process, causing ThreatLocker to use more system resources than normal.
Note: It is important to note that the processes are excluded based on the path you specified, not the hash. Care must be taken when deciding to exclude a process from monitoring by ThreatLocker.
Setting Up an Excluded Process
Select the 'Devices' page using the left-hand menu. Then, navigate to the 'Computer Groups' page using the 'Groups' tab at the top right and select the computer group for which you would like to configure the excluded process. You can also create a new computer group by selecting the '+ Computer Group' button at the top left corner of the page.
In the 'Edit Computer Group' panel, find 'Excluded Processes' under the 'Computer Group Settings' section.
In the 'Process' text field, enter the specific process you want to exclude. Select the 'Exclusion Type' from the dropdown menu. The following options are available in this section:
- Execute
- Install
- Storage
- Network
Note: Only a full process name, regardless of the directory (i.e., python.exe, code.exe, etc.), will apply to 'Excluded Processes'. Wildcards cannot be used in this text field.
Below this area, a field titled 'File Path' is also available. In here, enter the file path associated with this process. This allows you to select a more granular area in which ThreatLocker will exclude this process. You can use wildcards in this field.
Using the '+' and '-' buttons that appear to the right of the 'File Path' field, you can also add or delete excluded processes.
Note: To not specify a path for your process, leave the 'File Path' field blank.
Once you have entered your information, select the 'Save' or 'Create' button at the bottom of the page.
Please reach out to a Cyber Hero if you are considering setting up an Excluded Process so they can ensure you are keeping your environment as secure as possible.