Jump to content

Exclusions not working


wkiess01

Recommended Posts

I've recently installed MB Endpoint Protection and shortly after  users started complaining some programs would no longer work and a MB message would pop up saying the program was not allowed. I added the program name into the exclusions list, but it's still happening. I added just the filename xxxxx.exe as it lives in a different place on each PC's user folder. What am I missing?

Link to post
Share on other sites

Have you looked at the Admin Guide yet?  I just opened it to see if it offered anything of value to you.  Page 41 shows how to use files/folders with wildcards.  I have not tried this myself, but it appears that if everyone has the file on their drive C:, you should be able to use something like:

c:\*\xxxx.exe

If that file could be one level deeper, you would need to add an entry for that, as I expect that the "*" would only serve that depth in the directory structure.  Try that and see if it helps.

Edited by gonzo
cranial flatulence
Link to post
Share on other sites

Thanks for your replies. I did read the Admin Guide but wasn't clear on the way to add the exclusions since the file can be located anywhere on the user's pc. The file in question is generated and download by .NET ClickOnce which checks if there's a new version of (my) software available and downloads and installs it if so. I have no control over where the file is located on the user's pc. I only know the name. I added this name in the exclusions list and oddly it appears to work fine, i.e. is excluded, on one PC, but not another, hence my request for help.

The Malwarebytes log shows a path like C:\User\user_id\AppData\Local\Apps\2.0\some_long_path_name\some_other_long_pathname\filename.exe. Should I change the exception to read: C:\User\*\AppData\Local\Apps\2.0\*\*\filename.exe?

Link to post
Share on other sites

Hi @wkiess01, you'll likely need to ignore the folder up to the 2.0. Like this:

C:\User\*\AppData\Local\Apps\2.0\

The program is not going to be able to honor something with that many wildcards. Additionally, the use of wildcards may preclude your ignore entry from working with the engine you need. Be sure to look at the lower portion of the window under "Exclusions Applied To..."

Link to post
Share on other sites

Thanks for your suggestion Dyllon. I'm a bit concerned this may be too generic though, basically excluding everything in that path (and with a wildcard!). I would prefer to exclude just the filename itself.

The documentation for excluding a file states:
 

Quote

 

Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here’s how to do it.

The Exclusions tab includes a list of items to be excluded from scans. The items may include files, folders, websites, or applications that connect to the Internet, as well as previously detected exploits.

To access the exclusions in Malwarebytes:

  • Click on the Settings tab in the left pane.
  • Click on the Exclusions tab.
  • Click the Add Exclusion button.
  • Select the exclusion type Exclude a File or Folder and use the Browse button to select the main folder for the software that you wish to keep.


 

It is not clear if specifying just the filename will exclude it no matter what path it is in or whether the path to the file must also be specified. I therefore entered just the filename and extension which oddly seems to work for one PC but not another. Furthermore, there is no Browse button as suggested in the text (see screenshot below).

image.png.f48f235f173d0f1fa29459f065395f82.png

 

Link to post
Share on other sites

Infections will make their own areas, they are not going to know to attack your 2.0 folder unless it is done by someone that already knows your environment. Do your users download things to this folder and use it to store their items?

The filename by itself will not work, the extension on its own will but is not advisable if the extension is a common script or process type. Files and folders are by whole path only. 

You can use the ? to stand in for each character for a portion of the path you need.

C:\User\*\AppData\Local\Apps\2.0\Partialfoldername??????????\Partialfoldername??????????\filename.exe

Link to post
Share on other sites

Thanks for your reply Dyllon.

I do not know the path of the file in advance. I've only discovered the path based on the Malwarebytes quarantine log. Perhaps in hindsight I should have titled my question "How to exclude .NET ClickOnce installation files". I am not in control of the path or filename of these .NET ClickOnce installation files, so I cannot predict their path or name to include in the exclusions list. Is there another way to allow the ClickOnce installation files to execute? It would be nice to just click on Detection Details in the dashboard and click on an "Add to Exclusions List" button to whitelist the program.

Link to post
Share on other sites

The name may not be known but Is there no set convention it follows? If there are GUID's in the path name, that's helpful because those are set character string lengths.

As an example, say a few folders are made, they start similar but end in different characters. Say, folder123, folderABC, folderXYZ. Entering an exclusion of C:\example\path\folder???\someprocess.exe, would ignore all combination of that name.

An example with a real GUID, let's use a random one for this; "{e0e39e0d-f6c8-4ca9-8858-26b98eeec84a}":
C:\example\path\{????????-????-????-????-????????????}\someprocess,exe

Edit:
It will also work just at the folder level if you want that, confirmed on my test environment 👍

Edited by djacobson
Repro'd a few ignore scenarios, updating post.
Link to post
Share on other sites

7 hours ago, djacobson said:

On your first post, what is your pop up you get? I'd like to get a bit more info on the hit details. You can share via PM as well if some of those details are delicate.

Sorry, but the problem appears to have subsided with the exclusion I've entered, so I'm not able to provide a screenshot. I'll have to wait for the next change(s) to the .NET apps or for another user to try and use the apps. I'll be sure to get screendumps from them if it happens again.

image.thumb.png.df0a000e5dc17dc4f2fee01308eb9f6f.png

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.