Excluding items from Exploit Prevention

If an Exploit Prevention violation event is a false positive, you can add an exclusion to prevent Exploit Prevention from blocking the item.

Each exclusion is independent: multiple exclusions are connected by a logical OR so that if one exclusion matches, the violation event doesn't occur. Exclusions are case insensitive.

Access Protection: Files, processes, and registry exclusions

For files, processes, and registry items, you can exclude by file name or path, MD5 hash, or signer. Specify these exclusions in either the Access Protection policy or together with the other exclusions in the Exploit Prevention policy.

When specifying exclusions, consider the following:

  • You must specify at least one identifier: File name or path, MD5 hash, or Signer.
  • If you specify more than one identifier, all identifiers apply.
  • If you specify more than one identifier and they don't match (for example, the file name and MD5 hash don't apply to the same file), the exclusion is invalid.
  • Wildcards are allowed for all except MD5 hash.

Access Protection: Services exclusions

For Access Protection (services), you can exclude by the name of the service from the Services tab in Task Manager. Specify these exclusions in either the Access Protection policy or together with the other exclusions in the Exploit Prevention policy.

Buffer Overflow and Illegal API Use exclusions

When a Buffer Overflow or Illegal API Use violation event occurs, the event includes an associated process and a possible caller module, API, or signature. If you suspect the violation event is a false positive, you can add an exclusion that allows one or more of these identifiers. Specify these exclusions in the Exploit Prevention policy.

For example, suppose client behavior triggers Signature 2834, Java - Creation of suspicious files in Temp folder. This signature signals that the Java application is trying to create a file in the Windows Temp folder. An event triggered by this signature might be cause for alarm, because a Java application can be used to download malware to the Windows Temp folder. In this case, you might reasonably suspect that a trojan horse has been planted. But, if the process normally creates files in Temp, for example, saving a file using the Java application, create an exclusion to allow this action.

To completely exclude a process from Buffer Overflow or Illegal API Use protection either:

  • Create an exclusion and specify only the process information.
  • Set the inclusion status for the process to Exclude in the application protection list.
  • Remove the process from the application protection list. (Not recommended)

In each of these cases, Exploit Prevention doesn't monitor the process.

If you want Buffer Overflow or Illegal API Use protection to monitor a process, except for a particular signature:

  • Make sure that the process is in the application protection list with the inclusion status of Include.
  • Create an exclusion and specify the process information and signature ID.

In these cases, Exploit Prevention monitors the process for all other signatures.

If you create an exclusion for a particular signature and specify ** for the process name, the effect is the same as disabling the signature.

You only need to create exclusions for processes that are in the application protection list with the inclusion status set to Include.

Exploit Prevention exclusions created in the Endpoint Security Client are not sent to McAfee ePO and might be overwritten when the administrator deploys an updated policy. Configure Exploit Prevention exclusions in the Exploit Prevention policy in McAfee ePO. You can also create exclusions automatically from Exploit Prevention events from the Exploit Prevention Events page under Reporting.

When specifying exclusions, consider the following:

  • You must specify at least one of Process, Caller Module, API, or Signature.
  • Exclusions by Caller Module or API don't apply to Data Execution Prevention (DEP).
  • If you specify more than one identifier, all identifiers apply.
  • If you specify more than one identifier and they don't match (for example, the file name and MD5 hash don't apply to the same file), the exclusion is invalid.
  • Wildcards are allowed for all except MD5 hash.
  • If you include signature IDs in an exclusion, the exclusion only applies to the process in the specified signatures. If no signature IDs are specified, the exclusion applies to the process in all signatures.

Network IPS exclusions

For Network IPS protection, you can exclude by IP addresses (IPv4 format) or range. To exclude a range of IP addresses, enter the starting point and ending point of the range. For example:

203.0.113.0-203.0.113.255

Specify these exclusions in the Exploit Prevention policy.