How to exclude activity from Endpoint Prevention
Endpoint Prevention is available to Managed Detection and Response and Managed Threat Complete customers who also have the Next-Generation Antivirus or Ransomware Prevention add-ons.
You can instruct your Endpoint Prevention program to exclude asset behavior that would otherwise trigger a response from your prevention policies. This article covers how exclusions work and how to create them.
Exclusions are dependent on the prevention engines included in your license
Each prevention engine detects and alerts on certain asset behaviors, so exclusions are relative to those behaviors. If some of the exclusions documented here do not appear in your environment, check your license or contact Rapid7 if you wish to upgrade.
Exclusion rules and characteristics
In general, exclusions in Endpoint Prevention should be approached with more caution and consideration than similar exclusion capabilities offered by other Rapid7 features.
At its strictest level, Endpoint Prevention is designed to intervene automatically when a threat is detected. Excluding certain behavior from this intervention also means increasing the risk to your assets.
Ultimately, your business is in the best position to know what level of risk is acceptable in your environment and what asset behaviors can be safely ignored, but any exclusions you create in Endpoint Prevention should be clearly intentioned nonetheless.
Exclusion types
While you may want to create some exclusions proactively, you may also need to create them after you receive an alert in InsightIDR about benign activity.
When creating an exclusion proactively, without the context of a given alert, the available exclusion types are Path, Hash, and Extension (NGAV add-on). However, when creating an exclusion from an alert you received in InsightIDR, the Insight Platform will provide the applicable exclusion type based on the alert type and associated Prevention Engine.
That means not all exclusion types are available for every alert. In addition, in some cases the process that triggered an alert is a container, sensitive, or generic process. The Insight Platform may adjust the applicable exclusion for these processes to give more granular exclusion. This is intended behavior to avoid security exposure.
Criteria you can exclude
You can exclude these types of detectable criteria from Endpoint Prevention capabilities:
- SHA256 hash values
- Paths - Allows you to exclude a file path on your assets.
- This exclusion type is useful if your assets run software or services at a specific location and you want to ensure that Endpoint Prevention does not impact how these tools operate.
- Extensions - Allows you to exclude an entire file type.
- This exclusion type is useful if your assets use a specific file format regularly that you don't want Endpoint Prevention to scan.
- You can, therefore, create an extension exclusion with only the Deflect scanning purpose.
- Process - Allows you to exclude an executable (
.exe) process path on your assets. - Certificate - Allows you to exclude a digitally signed process by its certificate details. You can also choose the level at which the process certificate details are identified:
- Publisher - Any executable process signed by the publisher information found in the certificate is excluded.
- Product - Any executable process signed by the publisher and with the product definition found in the certificate will be excluded.
- File name - Any executable process signed by both the publisher and product and file name will be excluded.
- Script - Allows you to exclude a specific script or command that a process is attempting to execute.
- File Access - Allows you to exclude specific directories or files that a process is attempting to reach.
Supported criteria for prevention engines
Depending on the alert type and context, this table indicates the attributes that prevention engines are monitoring and the types of exclusions that are allowed:
| Prevention Engine | Path | Hash | Process | Extension | Script | File Access | Certificate |
|---|---|---|---|---|---|---|---|
| On-Access Scanning | X | X | X | X | |||
| Memory Injection | X | X | X | ||||
| Malicious Document | X | X | |||||
| Living-0ff-the-Land | X | ||||||
| OS Credential Dumping | X | X | X | ||||
| File and Process Manipulation | X | X | |||||
| Data Encryption | X | X | X |
Set the purpose
If you have the On-Access Scanning (Antivirus) prevention engine, you can tune your exclusions to get more granular control.
Only applies with the On-Access Scanning (Antivirus) engine
If the On-Access Scanning prevention engine is not included in your environment, this setting does not apply.
The 3 available options are:
- Scanning files - This exclusion applies only to file activity detected or generated by the On-Access Scanning prevention engine.
- Monitoring processes - This exclusion applies only to process activity monitored or generated by these prevention engines:
- Scanning files and monitoring processes - This exclusion applies to activities that are governed, detected or generated by all prevention engines in the policy.
Scope of exclusions
You can apply exclusions to all of the prevention groups in your organization – these are called 'global exclusions'. You can also apply them to individual prevention groups during the creation or editing process, meaning the exclusions will apply only to the agents within that group.
How to configure an exclusion
How to access the Agent Management interface
All aspects of your Endpoint Prevention program are configurable in the Agent Management experience of Insight Platform Home. Your Insight account must have either the Platform Administrator role or a Product Administrator role to access Agent Management:
- Go to https://insight.rapid7.com/login and sign in with your Insight account email address and password.
- If you are not directed to Insight Platform Home upon successfully signing in, open the navigator in the upper left corner of your screen and click Insight Platform Home.
- Open the Data Collection tab in the left menu and click Agents.
- Use the dropdown next to Agent Management to select the organization for which you want to configure Endpoint Prevention. If you only have access to 1 organization, it will already be selected.
To create an exclusion:
- In your Agent Management experience, click the Endpoint Prevention tab.
- Determine whether you want the exclusion to be global or prevention group-specific:
- For global exclusions, click the Global Exclusions subtab and click Create Global Exclusion. The exclusion creating window appears.
- For prevention group-specific exclusions, click the Prevention Groups subtab and click on the prevention group for which you want to create an exclusion. Scroll to the Exclude Items from this Prevention Group section and click Create Exclusion. The exclusion creation window appears.
- Select the exclusion type.
- Based on the type you selected, enter a value as prompted by the example shown.
- If desired, give the exclusion a description.
- If you have the On-Access Scanning (Antivirus) engine, select the purpose of the exclusion.
- Exclusions of the Extension type will have the Deflect scanning option already selected. This is the only purpose available for this exclusion type.
- Click Save when finished.
You can edit both global and prevention group-specific exclusions from the same location you create them from.