Adding an exclusion rule for observables

To add to an exclusion rule for observables:

1. In the main window of the application web interface, select the Settings section, Exclusions subsection.
2. Select the Observables tab.
3. In the upper-right corner of the application web interface window, click Add.

   This opens the New rule window.

4. In the Criterion drop-down list, select one of the following criteria for adding a rule to the list of scan exclusions:
   • MD5.
   • Format.
   • URL mask.
   • Source IP or subnet.
   • Destination IP or subnet.
5. If you selected Format, select the file format that you want to add from the Value drop-down list.

   For example, you can select the MSOfficeDoc format.

6. If you selected MD5, URL mask, Source IP or subnet, Destination IP or subnet, in the Value field, enter the value of the relevant criterion that you want to add to the list of scan exclusions:
   • If you selected MD5, enter the MD5 hash of the file in the Value field.
   • If you selected URL mask, enter the URL mask in the Value field.

     You can use the following special characters in the mask:

     * – any sequence of characters.

     Example: If you enter *abc* as the mask, the application considers as safe any URL that contains the sequence abc. For example, www.example.com/download_virusabc

     ? – any single character.

     Example: If you enter example_123?.com as the mask, the application considers as safe any URL that contains the given character sequence and any character following 3. For example, example_1234.com

     If the * or ? characters are part of the full URL that you want to add to the list of scan exclusions, use the \ character when entering the URL to escape a single *, ?, or \ character that follows it.

     Example: You need to add the following URL as a trusted address: www.example.com/download_virus/virus.dll?virus_name= You do not want the application to treat ? as a special mask character so you put a \ character before the ? character. The URL added to the list of scan exclusions looks as follows: www.example.com/download_virus/virus.dll\?virus_name=

   • If you selected Source IP or subnet or Destination IP or subnet, enter the address or subnet (for example, 255.255.255.0) in the Value field.

   In the URL mask field, you can enter domain names containing Cyrillic characters. In this case, the address is converted to Punycode and processed in accordance with application settings.

7. Click Add.

The rule is added to the list of exclusions from observables.

Users with the Security auditor and Security officer roles cannot add a scan exclusion rule.

See also Managing exclusions from observables Viewing the table of exclusions for observables Deleting an exclusion rule for observables Editing an exclusion rule for observables Exporting the list of data excluded from the scan Filtering rules in the list of exclusions from observables by criterion Filtering rules in the list of exclusions from observables by value Resetting the rule filter in the list of exclusions from observables

Page top