Add Exclusion or Edit Exclusion

Add or edit an Exploit Prevention exclusion.

When specifying exclusions, consider the following:

  • Based on the type selected from the Exclusion Type drop-down list, you must specify at least one of Process, Caller Module, API, Signatures, Service Name, or IP Addresses.
  • If you specify more than one identifier, all identifiers apply.
  • If you specify more than one identifier and they don't match (for example, the file name and MD5 hash don't apply to the same file), the exclusion is invalid.
  • Exclusions are case insensitive.
  • Wildcards are allowed for all except MD5 hash and Signature IDs.
  • If you include signature IDs in an exclusion, the exclusion only applies to the process in the specified signatures. If no signature IDs are specified, the exclusion applies to the process in all signatures.
  • For Process exclusions, you must specify at least one identifier: File name or path, MD5 hash, or Signer.
  • Exclusions with Caller Module or API don't apply to DEP.
Options
Section Option Definition
Process

Files, Processes, Registry, Buffer Overflow, or Illegal API Use

Name Specifies the process name to exclude. Exploit Prevention excludes the process wherever it is located.

This field is required with at least one other field: File name or path, MD5 hash, or Signer.

File name or path Specifies the file name or path of the executable to add or edit.

Click Browse to select the executable.

MD5 hash Indicates the (32-digit hexadecimal number) MD5 hash of the process.
Signer Enable digital signature checkGuarantees that code hasn't been changed or corrupted since it was signed with cryptographic hash.

If enabled, specify:

  • Allow any signature — Allows files signed by any process signer.
  • Signed by — Allows only files signed by the specified process signer.

    A signer distinguished name (SDN) for the executable is required and it must match exactly the entries in the accompanying field, including commas and spaces.

    The process signer appears in the correct format in the events in the log files. For example:

    C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT WINDOWS

Caller Module

Buffer Overflow or Illegal API Use

Name Specifies the name of the module (a DLL) loaded by an executable that owns the writable memory that makes the call.

This field is required with at least one other field: File name or path, MD5 hash, or Signer.

File name or path Specifies the file name or path of the executable to add or edit.

Click Browse to select the executable.

MD5 hash Indicates the (32-digit hexadecimal number) MD5 hash of the process.
Signer Enable digital signature checkGuarantees that code hasn't been changed or corrupted since it was signed with cryptographic hash.

If enabled, specify:

  • Allow any signature — Allows files signed by any process signer.
  • Signed by — Allows only files signed by the specified process signer.

    A signer distinguished name (SDN) for the executable is required and it must match exactly the entries in the accompanying field, including commas and spaces.

    The process signer appears in the correct format in the events in the log files. For example:

    C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT WINDOWS

API

Buffer Overflow or Illegal API Use

Name Specifies the name of the API (application programming interface) being called.
Signatures

Buffer Overflow, Illegal API Use, or Network IPS

Signature IDs Specifies (comma-separated) Exploit Prevention signature identifiers.
IP Addresses

Network IPS only

IP addresses or ranges Specifies (comma-separated) IP addresses (in IPv4 format) or ranges. Enter the starting point and ending point of the range.

For example: 203.0.113.0-203.0.113.255

Services

Services only

Service Name Specifies the name of the service, such as AdobeARM, from the Services tab in Task Manager.
Notes Provides more information about the item.