Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Trey
Contributor

Exclusion Questions

Hi,

I have a new customer who has a few questions about exclusions:

  1. Does CheckPoint automatically exclude any files or folders to allow SBA operation?
  2. Does CheckPoint automatically exclude any files or folders per vendor best practices?
  3. Do exclusions in the AV blade affect EDR tracking?
  4. How do you apply exclusions to the EDR blade?

I reviewed sk122706 How to use Endpoint Security Client Anti-Malware Blade exclusions and sk162553 ATRG: Endpoint Security Anti-Malware Blade and didn't find specific answers.

Also, both these sk articles use SmartEndpoint. Is it recommended to use SmartEndpoint or the Infinity Portal?

Thanks!

6 Replies
Roman_Zitzev
Employee Alumnus
Employee Alumnus

Hi,

 

  1. Does CheckPoint automatically exclude any files or folders to allow SBA operation? --> Yes there are several folders and processes that we exclude to make sure the performance impact are minimal. The processes and the folders that excluded have no security value. Keep in mind that our EDR solution monitor all file\registry\network\process\script(obfuscated and deobfuscated )\injection and more.
  2. Does CheckPoint automatically exclude any files or folders per vendor best practices? --> We exclude by default the well known vendors in case they present on the machine.
  3. Do exclusions in the AV blade affect EDR tracking? --> In case exclusion are done in Forensics blade it will effect EDR tracking.
  4. How do you apply exclusions to the EDR blade? --> By configure policy for Forensics baled.

I reviewed sk122706 How to use Endpoint Security Client Anti-Malware Blade exclusions and sk162553 ATRG: Endpoint Security Anti-Malware Blade and didn't find specific answers.

Also, both these sk articles use SmartEndpoint. Is it recommended to use SmartEndpoint or the Infinity Portal? --> Infinity Portal.

 

--> For any additional questions you can contact me as well, romanzit@checkpoint.com 

Trey
Contributor

What are the folders and processes that you exclude?

Does excluding by default the well known vendors mean you don't have to add, for instance, the recommended Microsoft exclusions?

Thanks!

0 Kudos
Roman_Zitzev
Employee Alumnus
Employee Alumnus

What are the folders and processes that you exclude? -->

Folders:

1. Internal folders that used by the application that running from them or writing logs\info into them, for example chrome that write to its own folders

in %programfiles% or %programdata%.

this done by the signer of the application and the destination. 

Processes:

1. Other vendors processes like windows defender or Kaspersky, its done by the signer.

2. Specific list of processes that monitor or creating large activity on the system like processes explorer, java IDE and more.

its done base on the signer and name  

 

 

Does excluding by default the well known vendors mean you don't have to add, for instance, the recommended Microsoft exclusions? --> Correct

 

if you wish we can do a short zoom session and i can explain more about our exclusion system.

Michi
Participant

Found this Thread by accident, is there an SK about this somewhere?

At this point i have around 200 AV Exclusions for Windows, Exchange, MSSQL, VMWare, Oracle etc...
What is in detail included - i'm not quite sure what to include and what not to include.
TAC told me quite the opposite that nothing is included by default and that it is the customers choice and that an exclude always increases the risk.

BR Michele Evermann

^ME
MikeB
Advisor

I think this information (which is very important) should be well explained and clear in some SK or management guide. It is of great interest to our customers and would save us administrators hours of configuration and research to apply exceptions manually.

Michi
Participant

@Roman_Zitzev do you have this information published anywhere?

BR Michi

^ME

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events