Topics Map > Safety and Security > Malware Protection

Endpoint Security, CrowdStrike, Exclusions

How and when to create exclusions within CrowdStrike Falcon.

Exclusion Determination

Knowing whether and how to create an exclusion is important to management of CrowdStrike in your environment. If CrowdStrike Falcon is generating detections for software that should be allowed to run, continue reading to understand what to do in response.

Exclusion Types

There are six types of exclusions available within the CrowdStrike Falcon console, each intended to serve a different purpose. They are as follows.

Exclusion TypeTargetScopeDescription
Quarantine ReleaseFile hashSingle hostWhen releasing a file from quarantine, the Falcon sensor excludes its hash from ML detections.
Hash-based ExclusionFile hashHost groups;
Entire instance
One or more file hashes are listed as allowed, excluding them from ML detections.
ML ExclusionFile pathHost groups;
Entire instance
A relative or absolute file path are specified as excluded from all ML detections and/or file analysis.
IOA ExclusionFile path &
Command line
Host groups;
Entire instance
A relative path and command line string are specified as excluded from detection on a particular IOA.
Sensor Visibility ExclusionFile pathHost groups;
Entire instance
A relative or absolute file path are specified as excluded from nearly all Falcon sensor activity. Avoid using if possible.
Support-Enacted ExclusionFile hash;
File path &
Command line
Entire instanceEither a file hash or a relative path and command line string are specified as excluded from detections of a given type.

Exclusion Selection Process

With the various types of exclusions, it can be tricky to know which type should be created. Follow the below process to determine which type of exclusion to create.

ExclusionCreationExclusion Selection Process

Process Outline in Detail

Start: Detection Alert

Choice 1: Was the detection a false positive?

  • Explanation: While Falcon does well to ignore benign programs and prevent malicious ones, there are times when it may make a mistake. Examine the file detected, its activity, and the state of the host machine. Don't assume that a file's name or path are enough to determine its status.
  • Option No / Unsure: Exclusions may not be created for true positives. You must submit an exclusion request. End: Contact support.
  • Option Yes: Continue to Choice 2.

Choice 2: Can you access the web console?

  • Explanation: In order to take action on detections, you will need access to the CrowdStrike console. How access is granted depends on your management model. See Endpoint Security, CrowdStrike, Management Models for details.
  • Option No: You must submit an exclusion request. End: Contact support.
  • Option Yes: Continue to Choice 3.

Choice 3: Was the detection quarantined?

  • Explanation: When Falcon triggers a file-based detection, that file will often be put into quarantine. This is a good first place to set up an exclusion.
  • Option Yes: Continue to Action Q.
  • Option No: Continue to Choice 5.

Choice 4: Have the detections stopped?

  • Explanation: After creating the exclusion, wait approximately an hour to see if detections have ceased from that host.
  • Option Yes: End: The exclusion has successfully been created.
  • Option No: Continue to Choice 5.

Choice 5: Is this a Self-Managed instance?

  • Explanation: Further action on detections requires an account with certain roles in a Self-Managed instance. Most teams will be in the Community or a Named instance. See Endpoint Security, CrowdStrike, Management Models for details.
    If your account is in a Self-Managed instance, but you find yourself unable to make any changes, check your roles or contact your local CrowdStrike administrator. See Endpoint Security, CrowdStrike, Roles for details.
  • Option No / Unsure: You must submit an exclusion request. End: Contact support.
  • Option Yes: Continue to Action A.

Choice 6: Is an IOA name listed?

  • Explanation: In the details for any given detection, information about both the host and the triggering process is listed. This field, if present, will appear under the "Execution Details".
  • Option Yes: Continue to Choice 7.
  • Option No: Continue to Choice 8.

Choice 7: Is the tactic "Custom Intelligence"?

  • Explanation: As with the "IOA name" field, the "Tactic" field will appear under the "Execution Details" for a detection.
  • Option Yes: Your local administrator has blocked this file. End: Contact your local CrowdStrike administrator.
  • Option No: Continue to Action I.

Choice 8: Is the triggering file likely to change?

  • Explanation: Files where the contents do not change are prime candidates for hash exclusions. Files that may change over time should us ML exclusions instead.
  • Option No: Continue to Action H.
  • Option Yes: Continue to Action M.

Choice 9: Have the detections stopped?

  • Explanation: After creating the exclusion, wait approximately an hour to see if detections have ceased from that hosts.
  • Option No: End: Contact support.
  • Option Yes: End: The exclusion has successfully been created.

Action Q: Release the quarantine

Action A: Analyze the detection

  • Explanation: In order to determine the proper type of exclusion to create, you must determine how CrowdStrike determined that the process was malicious. In the Falcon menu, navigate to Activity > Detections, then click on the detection to view its details.
  • Result I can't: You do not have the proper permissions to view detections, and cannot make a judgement on the type of exclusion to create. End: Contact your local CrowdStrike administrator.
  • Result Continue: Continue to Choice 6.

Action I: Create an IOA exclusion

  • Explanation: Certain known behaviors will be stopped by CrowdStrike as an Indicator of Attack (IOA). IOA exclusions are specific to the IOA that triggered them. See Managing IOA exclusions in the official documentation (login required). Note that some IOA detections cannot be excluded and will require you to contact support.
  • Result: Done: Continue to Choice 9.

Action H: Create a hash exclusion

  • Explanation: If a detection is triggered by its hash or CrowdStrike's Machine Learning (ML) algorithms, an exclusion can be created for that file hash. See Custom IOCs in the official documentation (login required).
  • Result: Done: Continue to Choice 9.

Action M: Create an ML exclusion

  • Explanation: If a detection is triggered by its hash or CrowdStrike's Machine Learning (ML) algorithms, an exclusion can be created for that file's name and/or path. See Managing machine learning exclusions in the official documentation (login required).
  • Result: Done: Continue to Choice 9.

Final Notes

Exclusions require care to create properly so that they do not become overly permissive. Malware allowed by an exclusion is much harder to detect by analysts. Please maintain a narrow scope for exclusions using the following tips:

  • Use Quarantine Release and Hash-based exclusions whenever feasible.
  • Limit the scope of exclusions to small groups where they will be required.
  • Limit the use of wildcards in paths and command line definitions as much as possible.
  • Avoid using Sensor Visibility exclusions wherever possible.
  • When in doubt, contact support for assistance in setting up your exclusion.




Keywords:falcon, exclusion, exclude, whitelist, allowlist, allowlisting, allow, detection, prevention, quarantine, quarantined, EPS, TechS-EPS-CS   Doc ID:114037
Owner:Security S.Group:University of Illinois Technology Services
Created:2021-09-30 10:01 CSTUpdated:2021-10-26 07:37 CST
Sites:University of Illinois Technology Services
Feedback:  0   0