topic Re: Exclusion Questions in Endpoint

Exclusion Questions

Trey — Tue, 23 Feb 2021 15:35:43 GMT

Hi,

I have a new customer who has a few questions about exclusions:

Does CheckPoint automatically exclude any files or folders to allow SBA operation?
Does CheckPoint automatically exclude any files or folders per vendor best practices?
Do exclusions in the AV blade affect EDR tracking?
How do you apply exclusions to the EDR blade?

I reviewed sk122706 How to use Endpoint Security Client Anti-Malware Blade exclusions and sk162553 ATRG: Endpoint Security Anti-Malware Blade and didn't find specific answers.

Also, both these sk articles use SmartEndpoint. Is it recommended to use SmartEndpoint or the Infinity Portal?

Thanks!

Re: Exclusion Questions

Roman_Zitzev — Sat, 27 Feb 2021 13:34:54 GMT

Hi,

Does CheckPoint automatically exclude any files or folders to allow SBA operation? --> Yes there are several folders and processes that we exclude to make sure the performance impact are minimal. The processes and the folders that excluded have no security value. Keep in mind that our EDR solution monitor all file\registry\network\process\script(obfuscated and deobfuscated )\injection and more.
Does CheckPoint automatically exclude any files or folders per vendor best practices? --> We exclude by default the well known vendors in case they present on the machine.
Do exclusions in the AV blade affect EDR tracking? --> In case exclusion are done in Forensics blade it will effect EDR tracking.
How do you apply exclusions to the EDR blade? --> By configure policy for Forensics baled.

I reviewed sk122706 How to use Endpoint Security Client Anti-Malware Blade exclusions and sk162553 ATRG: Endpoint Security Anti-Malware Blade and didn't find specific answers.

Also, both these sk articles use SmartEndpoint. Is it recommended to use SmartEndpoint or the Infinity Portal? --> Infinity Portal.

--> For any additional questions you can contact me as well, romanzit@checkpoint.com

Re: Exclusion Questions

Trey — Mon, 01 Mar 2021 17:24:24 GMT

What are the folders and processes that you exclude?

Does excluding by default the well known vendors mean you don't have to add, for instance, the recommended Microsoft exclusions?

Thanks!

Re: Exclusion Questions

Roman_Zitzev — Mon, 01 Mar 2021 17:44:57 GMT

What are the folders and processes that you exclude? -->

Folders:

1. Internal folders that used by the application that running from them or writing logs\info into them, for example chrome that write to its own folders

in %programfiles% or %programdata%.

this done by the signer of the application and the destination.

Processes:

1. Other vendors processes like windows defender or Kaspersky, its done by the signer.

2. Specific list of processes that monitor or creating large activity on the system like processes explorer, java IDE and more.

its done base on the signer and name

Does excluding by default the well known vendors mean you don't have to add, for instance, the recommended Microsoft exclusions? --> Correct

if you wish we can do a short zoom session and i can explain more about our exclusion system.

Re: Exclusion Questions

Michi — Tue, 12 Apr 2022 12:27:21 GMT

Found this Thread by accident, is there an SK about this somewhere?

At this point i have around 200 AV Exclusions for Windows, Exchange, MSSQL, VMWare, Oracle etc...
What is in detail included - i'm not quite sure what to include and what not to include.
TAC told me quite the opposite that nothing is included by default and that it is the customers choice and that an exclude always increases the risk.

BR Michele Evermann

Re: Exclusion Questions

MikeB — Mon, 18 Apr 2022 12:03:34 GMT

I think this information (which is very important) should be well explained and clear in some SK or management guide. It is of great interest to our customers and would save us administrators hours of configuration and research to apply exceptions manually.

Re: Exclusion Questions

Michi — Mon, 30 May 2022 15:19:34 GMT

@Roman_Zitzev do you have this information published anywhere?

BR Michi