When you configure ENS to exclude files from being scanned, it is important to understand how to use the available options to achieve your goal.
There are three scan profiles in the
Endpoint Security Threat Prevention,
On-Access Scan policy to achieve a balance between security and the performance impact of scanning. The three scan profiles are:
- Standard processes
- High Risk processes
- Low Risk processes
These policies are set for the process only. For example, for Windows File Explorer the process name
Explore.exe is set as a High Risk process. If the scan policy is set to scan when the process reads and writes, any file read and file write by
Explore.exe is scanned. In the High Risk process scan policy, you can specify files and folders to exclude from scanning for a file read or file write by the High Risk processes. As a general security practice, you do not want to exclude files and folders containing files with the extensions
.exe,
.dll, and
.sys from scanning.
It is common and recommended to set the Low Risk process scan policy to not scan on a file read or file write. This setting means any file reads and file writes by Low Risk processes are not scanned. You do not need to specify any scan exclusions for files and folders.
For information about improving performance when scanning files, see:
KB88205 - How to improve performance with Endpoint Security.
How to exclude an application executable from on-access scanning
To exclude a known and trusted application executable from on-access scanning, put the application executable name in an exclusion. The exclusion prevents the executable from being scanned and potentially flagged, blocked, or deleted. For instructions, see the "Preventing Threat Prevention from blocking trusted programs, networks, and services" section of the
Endpoint Security 10.7 Product Guide.
How to exclude all file reads/writes by a known and trusted application from on-access scanning
Suppose that you have an internally developed application executable named
myApp.exe. If you do not want any file reads and writes by
myApp.exe to be scanned, add
myApp.exe to the Low Risk process scan policy. Also, set the scan policy to not scan on a file read or write.