Exclude WSL from AutoContainment

I have previously posted a question on excluding Ubuntu 14.04 under HIPS which I got help for.
In a nutshell, create a WSL File Group, add the relevant path and that all worked.

Now I have installed Ubuntu 18.04 and items like apt update either fails to work or is very very slow.
Debugging the issue I found that now auto containment sandboxes the various executable, so I created an ignore rule for the WSL file group (which I still log)
Now it works a little better, but is still extremely slow, checking the logs I see containment logs being generate and the files are now set to ignore however most of the files comes up as unknown.
If I then disable auto containment then it runs very fast, if I enable it again then it slow down dramatically.
So now my question is how do I get the files excluded from auto containment to stop (what I suspect is my issue) from being checked for their reputation?
Updated If I disable “Enable Cloud Lookup” whilst Containment is still enabled then apt update flies, so I need to find a way or getting WSL not checked against the cloud. (I have set dpkg to trusted, but it keeps on thinking that it’s untrusted)

CIS 11.0.0.6728
Windows 1803 (build 17134.472)
Ubuntu Linux 18.04 (from the MS Store)

Try setting all WSL binaries in the file list to trusted manually, you may have to change show files to all types.

I have tried that as well, but as mentioned in the first post the one binary dpkg keeps coming up as unstrusted even thought it listed.
If I browse for and try and add it by hand CIS says that the entry already exists.
I have also confirmed that it’s not a link on the filesystem.

Exactly same issue here. I almost created a new topic on this.

Also the soultion of creating a file group manually with all the WSL files is tedious. Isn’t there a better way? I mean, can I add whole canonical folder and have all things in it added recursively?

Turning off “Enable Cloud Lookup” or turning off Auto-Contaiment itself does solve the slowdown issue for me too.

If you read the help on using the file group you will notice you can add either files or folders to the group.

The word “recur” is completely missing on the linked site. Let me repeat my question:

“can I add whole canonical folder and have all things in it added recursively?”

Yes when you add a folder, all files including those in sub-folders are part of that file group, that is what the wildcard character * means when it is appended to a file path.