CrowdStrike (CS): Exclusions

You must be logged into your CrowdStrike (Falcon) Management portal at the following URL to view CrowdStrike linked articles.

• NOAM - https://falcon.us-2.crowdstrike.com

 

When adding Exclusions, make sure you are viewing the desired CID in your CrowdStrike Falcon console.

• Where do you want to add the exclusions?
  • Adding at your “Parent CID” will allow you to apply the exclusion to ALL hosts across all your Child CIDs, or select Specific Group Names to apply the exclusion to.
  • Adding at a specific “Child CID” will allow you to apply the exclusion to all hosts belonging to that Child CID, or select Specific Group Names within that Child CID to apply the exclusion to.

After you create, edit, or delete an exclusion, it can take up to 40 minutes for the changes to go into effect.

 

Occasionally, Falcon might detect or prevent activity that you expect and allow in your environment. By creating exclusions, you can stop seeing detections that you don’t want to see, and allow processes that would otherwise be prevented. The exclusions that you create effectively form an allowlist that explicitly defines your organization’s known trusted activity.

You can create the following types of exclusions:

Machine Learning Exclusions (Files, Paths, and Certificates)

Reduce false-positive detections by creating machine learning exclusions. Define file path patterns or select a certificate to exclude files from detections or preventions derived from machine learning techniques:

• Stop static file-based detections and preventions, through ML-based techniques or custom hash blocklists
• Stop file uploads to the CrowdStrike cloud

A machine learning exclusion has three configurable parts:

1. Exclusion definition:
   1. For file path exclusions: An exclusion pattern that defines a file path, name, or extension. Exclusion patterns are written in glob syntax. For more info, see Wildcard Syntax.
   2. For certificate exclusions: A trusted certificate that is used to digitally sign a file.
2. An exclusion type that defines the type of activity that you want to exclude. Choose one or both exclusion types:
   1. Detect/Prevent
   2. For file path exclusions only: Upload Files to CrowdStrike
3. A set of hosts that the exclusion applies to. Choose all hosts or select specific host groups.

 

Detect/Prevent:

Any file matching the exclusion pattern or signed by an excluded certificate won’t be detected or blocked by the Falcon sensor. The activity is logged through events sent to the CrowdStrike cloud, but a detection is not generated.

The most common reason to create a Detect/Prevent exclusion is to minimize false-positive detections for trusted applications. For example, your organization might use an internal tool that's blocked by the Falcon sensor. You can create an exclusion to permit that tool to run without triggering a Detect or Prevent action.

Create Detect/Prevent exclusions to target very specific situations. If your exclusion is too broad, you might inadvertently permit malicious activity that should be detected or blocked.

 

Upload files to CrowdStrike:

Uploading files to CrowdStrike is disabled by default. To enable it, go to Support and resources > General settings, click Quarantined files, and turn on Upload quarantined files.

• Note: Files larger than 32 MB will not be uploaded to the CrowdStrike cloud.

Any file matching the exclusion pattern or signed by an excluded certificate won't be available for download in Endpoint security > Monitor > Quarantined files, and those files aren't uploaded to the CrowdStrike cloud for analysis.

The most common reason to create this type of exclusion is to prevent certain executable files from being uploaded to the CrowdStrike cloud. For example, you might want to prevent uploads of self-extracting archives containing design files from the group of hosts that includes your engineering department's workstations.

IOA Exclusions (Indicators of Attack)

 

IOA exclusions are created from within a detection, or by duplicating and then modifying an existing IOA exclusion.

You can exclude most types of IOA detections. However, the following types of detections cannot be excluded:

• OverWatch detections: For assistance with OverWatch detections, contact Support
• Custom IOA detections: To adjust these detections, modify the custom IOA instead
• Forced Address Space Layout Randomization (ASLR) bypass preventions
• Forced Data Execution Protection (DEP) preventions
• Heap Spray Preallocation preventions
• A small set of internal detection types

The Falcon console indicates whether you can exclude a specific IOA detection. If you want to exclude a detection that Falcon indicates cannot be excluded, open a Support case.

Sensor Visibility Exclusions (Performance/Application Conflicts)

For trusted file paths that you want to exclude from sensor monitoring, sensor visibility exclusions minimize sensor event collection, and stop all associated detections and preventions.

Use sensor visibility exclusions with extreme caution. Potential attacks and malware associated with excluded files will not be recorded, detected, or prevented.

The most common reason to create a sensor visibility exclusion is to improve endpoint performance at the excluded file paths, where sensor event data collection might interfere with highly resource-sensitive tasks. When planning and configuring sensor visibility exclusions, balance performance and security considerations. We recommend using sensor visibility exclusions only on hosts for which the sensor’s performance overhead without exclusions is unacceptable, and we recommend choosing excluded paths with care.

 

Considerations for Sensor Visibility Exclusions

Use sensor visibility exclusions with extreme caution. If you create a sensor visibility exclusion for a file path, Falcon won’t record all events, won’t report any detections, and won’t perform any prevention actions. This means that you won’t have visibility into potential attacks or malware related to that file path.

When planning and configuring sensor visibility exclusions, balance performance and security considerations. We recommend using sensor visibility exclusions only on hosts for which the sensor’s performance overhead without exclusions is unacceptable, and we recommend choosing excluded paths with care.

Before creating sensor visibility exclusions, consider the potential security risks. If you do create sensor visibility exclusions, we recommend following these best practices:

• Configure exclusions to be as narrow as possible. It’s safer to exclude a single executable file than an entire folder or all subfolders.
• Avoid specifying file exclusions for built-in operating system executable files and folders, such as these:
  • bash, /sbin, /bin, /usr/bin
  • java, python, ruby

 

Additional sensor visibility exclusion considerations:

• The sensor minimizes event reporting for process executions that match file exclusion criteria.
• Processes that match file exclusion criteria will no longer generate the majority of events that would be seen otherwise, including process-related events.
• The sensor will continue to send EndOfProcess events on Windows and macOS.
• Process tree and file name are still captured, but SHA256 digest is not.
• For excluded processes, data will not be available in the following features and contexts:
  • Any app usage dashboard (for example, in asset management)
  • Hash search (Falcon Investigate)
  • FDRv2 app info
• Excluding container-relative paths (and more generally, paths inside a chroot) is not supported.
• At this time, any Linux sensor visibility exclusions apply to both the host and all containers running on the system.

 

When adding Exclusions, make sure you are viewing the desired CID in your CrowdStrike Falcon console.

• Where do you want to add the exclusions?
  • Adding at your “Parent CID” will allow you to apply the exclusion to ALL hosts across all your Child CIDs, or select Specific Group Names to apply the exclusion to.
  • Adding at a specific “Child CID” will allow you to apply the exclusion to all hosts belonging to that Child CID, or select Specific Group Names within that Child CID to apply the exclusion to.

• Then select the tab for Machine learning (file path) exclusions

• Click the button to CREATE EXCLUSION
• Select either:
  • “All hosts” to have the exclusion apply to all hosts in the currently viewed CID.
  • “Groups of hosts” to have the exclusion apply to only hosts in specific Host Groups within the currently viewed CID.
• Click NEXT
• Select either or both options for “EXCLUDED FROM”:
  • Detections and preventions
  • Uploads to CrowdStrike
• Define the Exclusion Pattern
  • You can use the full desired file path and file name OR you can specify a pattern using wildcards.
    • For more information, see Wildcard Syntax
• Optional. Under PATTERN TEST, you can test the exclusion pattern:
  • Type a file path, and then click Test pattern.
  • Check the confirmation message to see whether your test pattern matches the syntax.
• Recommended. Enter a comment to include in the audit log.

• Click Create Exclusion.
  • Optional. If you want to add another exclusion pattern after you save this one, select Create another exclusion with these hosts after saving.

Note: You must enable a new exclusion in order for it to take effect.

• Exclusions