File, extensions, Folder Path Exclusions tutorial please


Badge +5
Hi guys,
I am looking for resources on making exclusions for files, extensions, and folder paths please. We are implementing Global Shop Solutions here at work and they are requesting some exclusions/whitelisting.
 
Thanks!

11 replies

Badge +5
So here's the exclusions recommendations I received from Global Shop.
\\SERVERNAME\Apps\Global should be replaced with the UNC path to your own Global (or Infisy) directory. Avoid using mapped drives where possible. If necessary, add them as exclusions in addition to the UNC paths.
%Temp% is an environment variable that represents a temporary folder specific to the Windows user profile currently logged into the system. Most often C:\Users\CURRENT_USER\AppData\Local\Temp (where CURRENT_USER represents the currently logged in user)

Exclusions by path or folder:
· https://about:blank
· %Temp%\GSS\*.*
· C:\Windows\Assembly\NativeImages*.*
· C:\Windows\Temp\*.MKD
Exclusions by File Extension:
· .DDF
· .DEBUG
· .GLOG
· .MKD
· .OCX
· .OUT
· .TRC
Exclusions by Program:
· Octsrs.exe
· Octsrs.net.exe
· GSSMenu.exe
· GSSBrowser.exe
· GSSRL.exe
· CRPreviewNET.exe
· ARC.exe
· PatchWidget.exe
Badge +1
Yes, it would be very helpful to post a list and/or procedure to override files for Global Shop Application. Especially for their C:\Windows\Assembly dll files which looks like they are created unique for each PC, or reports, or who knows what. And there are 100s of them. Also %temp%/GSS/*.* how safe is it?
Would be nice to see Webroot recommendation on how to make sure Webroot is not interfering with Global Shop App.
Badge +5
Would it help if I posted the list of recommended anti-virus exclusions here?
Userlevel 6
Badge +26
@CharlesIsWorking a little late to this discussion, but I can offer some assistance if you've not gotten all of your questions answered.

1) Overrides for everything is not necessary as we have a large data set within our threat intelligence that covers both known good files as well as bad files. So, instead of making an override in anticipation of the agent causing an issue, we highly recommend you review the "undetermined report" in the site console. Reports tab - Undetermined software by endpoint. This will display a list of items on a given endpoint that our data has no reference. If the software you referenced above is not listed, then we know about it and will not interfere.

2) Managing overrides. You do not need to assign overrides to a policy. This is for specific granular needs and is rarely needed. However, all overrides are applied to all endpoints across an entire site and all endpoints managed from that site will get the override applied.

3) Helpful tip for managing overrides. In the overrides tab on any given site, mouse over the column headers and on the right of each title is a little down arrow. Select that arrow and enable the "Determinations" column. This will display what our database knows about this file. If you've made an override and that column displays "Good" then you can delete it as it's redundant. If it's "Undetermined" then you're good to go. Keep in mind as our ML and AI process more of these types of files, that determination could switch from Undetermined to Good and you can remove it.

4) You can also turn on the "Policy" Column to see which overrides are tied directly to a policy. I would remake those without assignment to a policy as once that override is listed without being tied to a policy, all computers will referenced it.

5) Lastly, you can submit any file MD5 or a list of files to our support team and they will get our threat teams to whitelist or build a central rule in our central system eliminating the need for you to make lots of overrides for large solutions with lots of DLLs and EXEs.

Hope this helps.
Badge +5
Ok I put in a ticket with the support system. We shall see what they say.
Userlevel 7
Badge +35
Hi @, I would recommend that you contact our support team, as they can fully answer all of your questions. 
Badge +5
Hmmm,
I don't seem to have the option to show Global Policies. Perhaps I am not elevated to that level. So I went ahead and made a new policy and started assigning exceptions to it.
 
Why can't I change the policy that an override is assigned to if I didn't assign one to it in the first place?
What happens to the overrides that don't have policies assigned? Do they do anything?
If need be, why can't I assign overrides to multiple policies?
Userlevel 1
No need for a sorry, everyones starting sometime :)
 
Global GSM Overrides only trigger if the site has "Include Global Policy" enabled. On the right side of the Site list there is a "manage" button, from there go to "endpoint protection" and tick "include global policys".
 
If you want to make an override just for one site, click on the site name->overrides->add your override. From there you are able to backlink it to the whole GSM or just use it for the site you have selected.
 
Most of the time we do it that way:
 
a) Customer A has a specific Software which needs some whitelists
Login to GSM, Select Customers Site, Go to Overrides -> Create an Override and dont tick "General GSM Policy". You can select "use with policy" and select a policy (maybe you have something like "special policy" for a specific client group).
 
b) All Customer have the same Software so we create it global (only if we need to, most of the time you dont need whitelisting of application, webroot does its job realy good!)
 
Hope this helps :)
 
Greets, Stefan
 
 
 
Badge +5
Thanks for that link! Sorry, I'm a little new to this thing!
Also, if I don't apply to it to a specific policy, will it apply to all endpoints?
Userlevel 1
Hey There, Just look at the Help Topic in your GSM Console :)
 
This is a Direct Link to the Whitelist Overrides Topic: Creating Whitelist Overrides
 
Hope this helps 🙂, Stefan
Badge +5
Anyone out there? 🙂

Reply