N-Central – AV – SentinelOne (EDR) – Adding Exclusions

Last Updated: February 9th, 2021/Published On: April 30th, 2020/By /Views: 3070/

Adding Exclusions from a detected item

  1. From SO Level expand Integrations > EDR > Analyze
  2. Locate the detected item that should be allowed and click on it
  3. Investigate and ensure you truly wish to create exclusion
  4. Select More in upper right hand corner and select appropriate action (Mark as benign is most likely what you are looking for)

           

 

Adding Exclusions before they get detected

  1. From SO Level expand Integrations > EDR > Analyze > Profiles
  2. Click the three dots on the far right side next to the profile you wish to modify and select Edit
  3. Click next
  4. Click Exclusions

OPTION 1 (BEST):

  1. Under Hash select New Exclusion 
  2. Drop down OS and select appropriate OS
  3. Provide SHA1
  4. Enter a good description of why you are excluding so others can easily determine why this exclusion is there (such as program name)
  5. Select either Save or Save and add another

           

OPTION 2 (Lazy and less secure method)

*This method should only be used if OPTION 1 doesn’t work with your software

  1. Click Path on Left and then choose New exclusion
  2. Drop down OS and select appropriate OS
  3. Define Path and select Include Subfolders as required
  4. Select More Options and choose proper Exclusions Mode *This will require some testing to get the right option selected while still providing as much security as possible
  5. Enter a good description of why you are excluding so others can easily determine why this exclusion is there (such as program name)
  6. Select either Save or Save and add another

         

Advanced Options

  1. You can select to exclude certain web browsers under Browser section if a critical website does not work – would be highly recommended to restrict this web browser to only the website that you need to access a blocked site from that EDR is blocking
  2. File Type – only use this if absolutely necessary
  3. Signer Identity – you’ll need the certificate ID

 

Table of Contents