Creating and editing an exclusion for an Adaptive Anomaly Control rule

You cannot create more than 1,000 exclusions for Adaptive Anomaly Control rules. It is not recommended to create more than 200 exclusions. To reduce the number of exclusions used, it is recommended to use masks in the settings of exclusions.

An exclusion for an Adaptive Anomaly Control rule includes a description of the source and target objects. The source object is the object performing the actions. The target object is the object on which the actions are being performed. For example, you have opened the file named file.xlsx. As a result, a library with the DLL extension used by a browser (the executable file named browser.exe) has been added to the computer memory. In this example, file.xlsx is the source object, Excel is the source process, browser.exe is the target object, and Browser is the target process.

To create or edit an exclusion for an Adaptive Anomaly Control rule:

  1. In the main application window, click the Settings button.
  2. In the left part of the window, in the Security Controls section, select the Adaptive Anomaly Control subsection.

    The settings of the Adaptive Anomaly Control component are displayed in the right part of the window.

  3. In the table in the right part of the window, select a rule.
  4. Click the Edit button.

    The Adaptive Anomaly Control rule window opens.

  5. Do one of the following:
    • If you want to add an exclusion, click the Add button.
    • If you want to edit an existing exclusion, select the row in the Exclusions table and click the Edit button.

    The Exclusion from rule window opens.

  6. In the Description field, enter a description of the exclusion.
  7. Click the Browse button next to the User field to specify the users to whom the exclusion is applied.

    The standard Select users or groups window in Microsoft Windows opens.

  8. Define the settings of the source object or source process started by the object:
    • Source process. Path or mask of the path to the file or folder containing files (for example, С:\Dir\File.exe or Dir\*.exe).
    • Source process hash. File hash code.
    • Source object. Path or mask of the path to the file or folder containing files (for example, С:\Dir\File.exe or Dir\*.exe). For example, file path document.docm, which uses a script or macro to start the target processes.

      You can also specify other objects to exclude, such as a web address, macro, command in the command line, registry path, or others. Specify the object according to the following template: object://<object>, where <object> refers to the name of the object, for example, object://web.site.example.com, object://VBA, object://ipconfig, object://HKEY_USERS. You can also use masks, for example, object://*C:\Windows\temp\*.

    • Source object hash. File hash code.

    The Adaptive Anomaly Control rule is not applied to actions performed by the object, or to processes started by the object.

  9. Define the settings of the target object or target processes started on the object.
    • Target process. Path or mask of the path to the file or folder containing files (for example, С:\Dir\File.exe or Dir\*.exe).
    • Target process hash. File hash code.
    • Target object. The command to start the target process. Specify the command using the following pattern object://<command>, for example, object://cmdline:powershell -Command "$result = 'C:\windows\temp\result_local_users_pwdage txt'". You can also use masks, for example, object://*C:\windows\temp\*.
    • Target object hash. File hash code.

    The Adaptive Anomaly Control rule is not applied to actions taken on the object, or to processes started on the object.

  10. In the Exclusion from rule window, click OK.
  11. In the Adaptive Anomaly Control rule window, click OK.
  12. To save changes, click the Save button.
Page top