This article provides guidance on how to create file and directory exclusions with ENSLTP.
Configure exclusions for ePolicy Orchestrator (ePO) managed computers at the following location:
- Log on to the ePO console.
- Click Menu, Policy, Policy Catalog.
- Select Endpoint Security Threat Prevention from the Product drop-down list.
- Select On-Access Scan from the Category drop-down list.
- Click the policy name.
- Click Show Advanced.
- Navigate to the Process Settings section, Exclusions list.
When you configure exclusions by file name and path, there are three types of wildcard exclusion symbols used in ENSLTP:
- Single asterisk: * — Used to represent partial file names or extensions with one or more characters from the exact position where it is placed in the path or file specified.
- Double asterisk: ** — Generally used for partial file names or extensions with one or more characters from the exact position where it is placed in the path or file specified.
- Question mark: ? — Used for single character replacement within file names and directory names. This wildcard character gives you more control over exclusions.
When you set exclusions by file type, you can use only the question mark wildcard exclusion symbol in ENSLTP:
- Question mark: ? — Used for single character replacement within file type strings. This wildcard character gives you more control over exclusions.
The sections below explain how to use these wildcards correctly.
Single asterisk for file name or path exclusions
To denote single directory names, use a single asterisk (
*) wildcard. For example, the exclusion
/data/*/sub/ would exclude the following folders:
/data/1/sub/
/data/name2/sub/
/data/backup/sub/
To denote partial file name matches or wildcard extension matches, use a single asterisk (
*) wildcard. For example:
/data/abc*.raw
/data/abc.*
NOTE: Do not use trailing backslashes for file name matches. Doing so excludes the wrong items. To clarify this important point, examine the following two examples:
The first exclusion is treated as a file name, and the second is treated as a directory.
When the policy is enforced on the system, the local command shows as follows for the above examples:
ENSLTP 10.6.6 and later:
# /opt/McAfee/ens/threatprevention/bin/isecav --getoasconfig --exclusionlist --profile standard
ENSLTP 10.6.5 and earlier:
# /opt/isec/ens/threatprevention/bin/isecav --getoasconfig --exclusionlist --profile standard
Index Item Exclude Subfolder When to exclude
1 /data/*/sub/ Disabled readandwrite
2 /data/def/ Disabled readandwrite
3 /data/abc Not Applicable readandwrite
The result is that "Exclude Subfolder" shows as "Not Applicable" for the exclusion item
/data/abc (index 3) because it was specified with no trailing backslashes. So, the item is considered a file path.
Double asterisks (**) allow a wider directory exclusion called a Multiple Depth Exclusion. These exclusions are where the same target folder name might occur multiple times in subdirectories originating from a common directory.
For example, a directory named "cache" can exist under one or more subdirectories at any depth under the
/data directory:
/data/user/tom/cache/
/data/user/jim/cache/
/data/admin/cache/
/data/user/family/a1/b2/cache/
The following example uses a double asterisk to exclude the contents of any directory named cache under the
/data directory:
When the policy is enforced on the system, the local command shows as follows in the above example for the exclusion item
/data/**/cache/ (index 1):
ENSLTP 10.6.6 and later:
# /opt/McAfee/ens/threatprevention/bin/isecav --getoasconfig --exclusionlist --profile standard
ENSLTP 10.6.5 and earlier:
# /opt/isec/ens/threatprevention/bin/isecav --getoasconfig --exclusionlist --profile standard
Index Item Exclude Subfolder When to exclude
1 /data/**/cache/ Disabled readandwrite
2 /data/*/sub/ Disabled readandwrite
3 /data/def/ Disabled readandwrite
4 /data/abc Not Applicable readandwriteUse a question mark wildcard to denote single character replacement within file type strings. For example, you can use the question mark wildcard for any of the three characters below:
When the policy is enforced on the system, the local command shows as follows in the above example for the exclusion item
A?C (index 6):
ENSLTP 10.6.6 and later:
# /opt/McAfee/ens/threatprevention/bin/isecav --getoasconfig --exclusionlist --profile standard
ENSLTP 10.6.5 and earlier:
# /opt/isec/ens/threatprevention/bin/isecav --getoasconfig --exclusionlist --profile standard
Index Item Exclude Subfolder When to exclude
1 /data/**/cache/ Disabled readandwrite
2 /data/*/sub/ Disabled readandwrite
3 /data/def/ Disabled readandwrite
4 /data/abc Not Applicable readandwrite
5 /data/time-? Not Applicable readandwrite
6 A?C 
