Create a generic exclusion?

If I have a file or file type that:-

  • exists or will exist in multiple locations
  • is updated on reboot, or by trusted author updates (but which are unsigned)
  • files I’m working on

that are auto-blocked or put on the untrusted/unrecognized list by CIS.

Can I add a wild-card exclusion/local rule rather than have to add each & every one to a safe-list?
e.g. I have multiple’s - there is a copy on a USB, there are 2 copies on the HDD, can I just say ./ is to be auto-excluded, regardless of location, timestamp etc?

I’d also like to be able to add authors to my white-list so that files I am collaborating on don’t get auto-blocked.

I wondered about using Groups but that still req’s each & every instance to be catalogued… 88)

You can use the wildcards * and ?

Example 1 (If the file is at the root of any drive): ?:\

Example 2 (If the file is in any folder (but not root) of any drive): ?:*\

Example 3 (If the file is in any folder and/or root of any drive; SIDE EFFECT: Files like C:\ would also be allowed, better to use Example 1 and 2 in combination rather than Example 3): ?:*

Example 4 (If the filename has a part that changes; Example file Test1.txt to Test2.txt to Test3.txt etc): C:\Path\Test*.txt

Example 5 (If the filename is the same but file extension changes): C:\Path\Test.*

I hope those examples are enough to get the general gist of how the wildcards work, do bear in mind that these must be used in each module you want the files excluded for, there isn’t a central place to add them to exclusions for everything, so you’d have to add them to Firewall rules, HIPS rules, Sandbox rules, AV rules etc.

Awesome, thanks for the detailed explanation Sanya. :slight_smile: