Skip to content

EPP Exclusions

Exclusions tell the SenseOn antimalware component to skip scanning certain files, directories, or processes. This page explains the available exclusion types, how each works internally, and guidance on choosing the right one for your situation.

💡 Where to configure exclusions: Exclusions are configured in Device Configuration under the Antimalware and Process Protection sections. They can be scoped to specific device segments. See Endpoint Protection for steps on creating segments and applying configuration.

Exclusion Types

Path Exclusions

Exclude files or directories from scanning by path. Supports both absolute paths and wildcard patterns using * (any sequence of characters) and ? (single character). Matching is case-insensitive on all platforms. UNC paths (e.g. \\server\share\path\*) are supported.

Examples: - C:\MyApp\data\* — excludes all files under that directory - C:\MyApp\data\*.tmp — excludes all .tmp files in that directory - \\server\share\builds\* — network path exclusion

⚠ Wildcard paths have a small locking window. When a wildcard pattern is used rather than an absolute path, there is a brief moment where the file may be locked while the agent matches the path against the exclusion list. For most workloads this is imperceptible, but for processes that delete large numbers of files rapidly it can cause transient lock contention. Use absolute paths where possible — an absolute path match short-circuits before any file handle is opened.

Process Exclusions

Exclude all files accessed by a specific process from on-access scanning. This is the most effective solution for scenarios where a process touches a high volume of files — for example build systems, backup agents, deployment tools, or cleanup scripts.

When a process is in the exclusion list, the exclusion is applied at the driver level. File accesses by that process never trigger a scan callback at all, so there is no locking window.

⚠ The process executable must be code-signed. The agent performs signature verification before registering the exclusion. Unsigned executables cannot be excluded via this mechanism even if listed.

⚠ Exclusions apply on next process start. If the process is already running when the exclusion is added, it must be restarted for the exclusion to take effect.

Examples: - C:\MyApp\bin\cleanup.exe - C:\Program Files\MyBuildTool\builder.exe

Hash Exclusions (SHA-1)

Exclude a specific file by its SHA-1 hash. Useful for known-safe files that may be flagged as suspicious — for example internal tools or custom binaries.

⚠ Hash exclusions are post-detection only. The file is scanned first; the hash is then checked to decide whether to act on the detection. This means hash exclusions do not prevent the brief locking that occurs during scanning. They are best used to suppress false positives on known-safe binaries, not to reduce locking contention.

Extension Exclusions

❌ Not currently supported. Use path wildcards as a workaround — for example C:\MyApp\*\*.log to exclude all .log files under a directory.

Choosing the Right Exclusion Type

Scenario Recommended type
A process deletes or modifies many files rapidly Process exclusion
A specific directory contains known-safe files Path exclusion (absolute path preferred)
A specific binary is flagged as a false positive Hash exclusion
Files with a specific extension should be excluded Path wildcard (e.g. C:\App\*\*.ext)
Mixed or dynamic paths, too many to enumerate Process exclusion

Common Scenarios

A process is failing because SenseOn is locking files it tries to delete

This is expected behaviour — the antimalware component briefly locks files during on-access scanning. The recommended fix is a process exclusion on the process performing the deletions. This removes the locking entirely without needing to enumerate file paths, and is more robust than path exclusions when paths are numerous or dynamic.

Note: the process executable must be code-signed for the exclusion to take effect.

Scanning is slowing down compilation on a build server

Use a process exclusion on the compiler or build tool executable, or a path exclusion on the build output directory using an absolute path. Avoid wildcard path exclusions on high-frequency directories — the pattern-matching window can accumulate under load.

A known internal tool is being flagged as malware

Use a hash exclusion (SHA-1) to suppress the false positive. If the tool is updated frequently and the hash changes, contact support@senseon.io to discuss alternatives.

Key Limitations

  • Process exclusions require a signed executable — unsigned binaries cannot be excluded.
  • Process exclusions apply on next process start — changes are not retroactive to already-running processes.
  • Wildcard path exclusions have a small locking window — for high-frequency file deletion, prefer process exclusions or absolute path exclusions.
  • Hash exclusions are post-detection only — they suppress action on a flagged file but do not prevent the scan or its locking.
  • Extension exclusions are not yet implemented — use wildcard path patterns as a workaround.