If I have a file or file type that:-
- exists or will exist in multiple locations
- is updated on reboot, or by trusted author updates (but which are unsigned)
- files I’m working on
that are auto-blocked or put on the untrusted/unrecognized list by CIS.
Can I add a wild-card exclusion/local rule rather than have to add each & every one to a safe-list?
e.g. I have multiple abcde.xyz’s - there is a copy on a USB, there are 2 copies on the HDD, can I just say ./abcde.xyz is to be auto-excluded, regardless of location, timestamp etc?
I’d also like to be able to add authors to my white-list so that files I am collaborating on don’t get auto-blocked.
I wondered about using Groups but that still req’s each & every instance to be catalogued… 88)
You can use the wildcards * and ?
Example 1 (If the file is at the root of any drive): ?:\abcde.xyz
Example 2 (If the file is in any folder (but not root) of any drive): ?:*\abcde.xyz
Example 3 (If the file is in any folder and/or root of any drive; SIDE EFFECT: Files like C:\somethingelseabcde.xyz would also be allowed, better to use Example 1 and 2 in combination rather than Example 3): ?:*abcde.xyz
Example 4 (If the filename has a part that changes; Example file Test1.txt to Test2.txt to Test3.txt etc): C:\Path\Test*.txt
Example 5 (If the filename is the same but file extension changes): C:\Path\Test.*
I hope those examples are enough to get the general gist of how the wildcards work, do bear in mind that these must be used in each module you want the files excluded for, there isn’t a central place to add them to exclusions for everything, so you’d have to add them to Firewall rules, HIPS rules, Sandbox rules, AV rules etc.
Awesome, thanks for the detailed explanation Sanya.