Exclusions

A trusted zone is a system administrator-configured list of objects and applications that Kaspersky Endpoint Security does not monitor when active.

The administrator forms the trusted zone independently, taking into account the features of the objects that are handled and the applications that are installed on the computer. It may be necessary to include objects and applications in the trusted zone when Kaspersky Endpoint Security blocks access to a certain object or application, if you are sure that the object or application is harmless. An administrator can also allow a user to create their own local trusted zone for a specific computer. This way, users can create their own local lists of exclusions and trusted applications in addition to the general trusted zone in a policy.

Starting with Kaspersky Endpoint Security 12.5 for Windows, you can add EDR telemetry to the trusted zone. This allows to optimize data that the application sends to the Telemetry server for the Kaspersky Anti Targeted Attack Platform (EDR) solution.

Starting with Kaspersky Endpoint Security 12.6 for Windows, scan exclusions and trusted applications are added to the trusted zone. Predefined scan exclusions and trusted applications help quickly configure Kaspersky Endpoint Security on SQL servers, Microsoft Exchange servers, and System Center Configuration Manager. This means you do not need to manually set up a trusted zone for the application on servers.

Scan exclusions

A scan exclusion is a set of conditions that must be fulfilled so that Kaspersky Endpoint Security will not scan a particular object for viruses and other threats.

Scan exclusions make it possible to safely use legitimate software that can be exploited by criminals to damage the computer or user data. Although they do not have any malicious functions, such applications can be exploited by intruders. For details on legitimate software that could be used by criminals to harm the computer or personal data of a user, please refer to the Kaspersky IT Encyclopedia website.

Such applications may be blocked by Kaspersky Endpoint Security. To prevent them from being blocked, you can configure scan exclusions for the applications in use. To do so, add the name or name mask that is listed in the Kaspersky IT Encyclopedia to the trusted zone. For example, you often use the Radmin application for remote administration of computers. Kaspersky Endpoint Security regards this activity as suspicious and may block it. To prevent the application from being blocked, create a scan exclusion with the name or name mask that is listed in the Kaspersky IT Encyclopedia.

If an application that collects information and sends it to be processed is installed on your computer, Kaspersky Endpoint Security may classify this application as malware. To avoid this, you can exclude the application from scanning by configuring Kaspersky Endpoint Security as described in this document.

Scan exclusions can be used by the following application components and tasks that are configured by the system administrator:

List of trusted applications

The list of trusted applications is a list of applications whose file and network activity (including malicious activity) and access to the system registry are not monitored by Kaspersky Endpoint Security. By default, Kaspersky Endpoint Security monitors objects that are opened, executed, or saved by any application process and controls the activity of all applications and network traffic that is generated by them. After an application is added to the list of trusted applications, Kaspersky Endpoint Security stops monitoring the application's activity.

The difference between scan exclusions and trusted applications is that for exclusions Kaspersky Endpoint Security does not scan files, while for trusted applications it does not control the initiated processes. If a trusted application creates a malicious file in a folder which is not included in scan exclusions, Kaspersky Endpoint Security will detect the file and eliminate the threat. If the folder is added to exclusions, Kaspersky Endpoint Security will skip this file.

For example, if you consider objects that are used by the standard Microsoft Windows Notepad application to be safe, meaning that you trust this application, you can add Microsoft Windows Notepad to the list of trusted applications so that the objects used by this application are not monitored. This will increase computer performance, which is especially important when using server applications.

In addition, certain actions that are classified by Kaspersky Endpoint Security as suspicious may be safe within the context of the functionality of a number of applications. For example, the interception of text that is typed from the keyboard is a routine process for automatic keyboard layout switchers (such as Punto Switcher). To take account of the specifics of such applications and exclude their activity from monitoring, we recommend that you add such applications to the trusted applications list.

Trusted applications help to avoid compatibility issues between Kaspersky Endpoint Security and other applications (for example, the problem of double-scanning of the network traffic of a third-party computer by Kaspersky Endpoint Security and by another anti-virus application).

At the same time, the executable file and process of the trusted application are still scanned for viruses and other malware. An application can be fully excluded from Kaspersky Endpoint Security scanning by means of scan exclusions.

Settings of exclusions

Parameter

Description

Types of detected objects

Regardless of the configured application settings, Kaspersky Endpoint Security always detects and blocks viruses, worms, and Trojans. They can cause significant harm to the computer.

  • Viruses and worms
  • Trojans (including ransomware)
  • Malicious tools
  • Adware
  • Auto-dialers
  • Legitimate software that can be used by intruders to damage your computer or personal data
  • Packed objects whose packing may be used to protect malicious code
  • Multi-packed objects

Exclusions

This table contains information about scan exclusions.

You can exclude objects from scans by using the following methods:

  • Specify the path to the file or folder.
  • Enter the object hash.
  • Use masks:
    • The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
    • Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in folders nested within the Folder, except the Folder itself. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
    • The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.

      You can use masks anywhere in a file or folder path. For example, if you want the scan scope to include the Downloads folder for all user accounts on the computer, enter the C:\Users\*\Downloads\ mask.

      Kaspersky Endpoint Security supports environment variables

      Kaspersky Endpoint Security does not support the %userprofile% environment variable when generating a list of exclusions using the Kaspersky Security Center console. To apply the entry to all user accounts, you can use the * character (for example, C:\Users\*\Documents\File.exe). Whenever you add a new environment variable, you need to restart the application.

  • Enter the name of the object type according to the classification of the Kaspersky Encyclopedia (for example, Email-Worm, Rootkit or RemoteAdmin). You can use masks with the ? character (replaces any single character) and the * character (replaces any number of characters). For example, if the Client* mask is specified, the application excludes Client-IRC, Client-P2P and Client-SMTP objects from scans.

Kaspersky Endpoint Security hides the list of scan exclusions in the user interface of the application if configuration of scan exclusions is blocked by the administrator in the console ("closed lock" symbol) and local scan exclusions are prohibited (the Allow use of local exclusions check box is cleared).

Trusted applications

This table lists trusted applications whose activity is not monitored by Kaspersky Endpoint Security during its operation.

Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.

Kaspersky Endpoint Security does not support the %userprofile% environment variable when generating a list of trusted applications on the Kaspersky Security Center console. To apply the entry to all user accounts, you can use the * character (for example, C:\Users\*\Documents\File.exe). Whenever you add a new environment variable, you need to restart the application.

The Application Control component regulates the startup of each of the applications regardless of whether or not the application is included in the table of trusted applications.

Kaspersky Endpoint Security hides the consolidated list of trusted applications in the user interface of the application if configuration of trusted applications is blocked by the administrator in the console ("closed lock" symbol) and local trusted applications are prohibited (the Allow use of local trusted applications check box is cleared).

Merge values when inheriting

(available only in the Kaspersky Security Center Console)

This merges the list of scan exclusions and trusted applications in the parent and child policies of Kaspersky Security Center. To merge lists, the child policy must be configured to inherit the settings of the parent policy of Kaspersky Security Center.

If the check box is selected, list items from the Kaspersky Security Center parent policy are displayed in child policies. This way you can, for example, create a consolidated list of trusted applications for the entire organization.

Inherited list items in a child policy cannot be deleted or edited. Items on the list of scan exclusions and the list of trusted applications that are merged during inheritance can be deleted and edited only in the parent policy. You can add, edit or delete list items in lower-level policies.

If items on lists of the child and parent policy match, these items are displayed as the same item of the parent policy.

If the check box is not selected, list items are not merged when inheriting the settings of Kaspersky Security Center policies.

Allow use of local exclusions / Allow use of local trusted applications

(available only in the Kaspersky Security Center Console)

Local exclusions and local trusted applications (local trusted zone) – user-defined list of objects and applications in Kaspersky Endpoint Security for a specific computer. Kaspersky Endpoint Security does not monitor objects and applications from the local trusted zone. This way, users can create their own local lists of exclusions and trusted applications in addition to the general trusted zone in a policy.

If the check box is selected, a user can create a local list of scan exclusions and a local list of trusted applications. An administrator can use Kaspersky Security Center to view, add, edit, or delete list items in the computer properties.

If the check box is cleared, a user can access only the general lists of scan exclusions and trusted applications generated in the policy.

EDR telemetry

(available only in the Kaspersky Security Center Console)

This table contains information about EDR telemetry exclusions.

Trusted system certificate store

If one of the trusted system certificate stores is selected, Kaspersky Endpoint Security excludes applications signed with a trusted digital signature from scans. Kaspersky Endpoint Security automatically assigns such applications to the Trusted group.

If Do not use is selected, Kaspersky Endpoint Security scans applications regardless of whether or not they have a digital signature. Kaspersky Endpoint Security places an application in a trust group depending on the level of danger that this application may pose to the computer.

See also: Managing the application via the local interface

Creating a scan exclusion

Managing the application on a server in Server Core mode

Editing the list of trusted applications

Creating a local trusted zone

Using trusted system certificate storage

Page top