The best way is to create an exception from the event itself. You can incorporate a wildcard if you need to but make sure you have other parameters to make the signature specific to that process and user account.
I can't get this to work either. Is it possible to exclude an entire folder from a signature?
I'm testing on the Adobe folder for signature 3905. I've gone bare-bones with my test case: no parameters defined aside from Executable, and within the Executable, only File Name defined. I've tried every iteration of wildcards. Right now, I have C:\**\ADOBE\**\*.EXE .
3905 is still being triggered by executables in Adobe folders though. What am I missing?
Is it possible to exclude an entire folder from a signature?
Yes, you can exclude entire directories, if you wish. The syntax would be similar to the previous suggestions.
C:\**\FOLDERNAME\ does appear to be working.
Interestingly, C:\**\FOLDERNAME\**\*.EXE also seemed to work.
But, why doesn't **\FOLDERNAME\ or just FOLDERNAME\ work?
I'm stuck. My folder exceptions aren't working 100% of the time. Some examples:
I'm trying to exclude C:\PROGRAM FILES (86)\MICROSOFT LYNC\UCMAPI.EXE with C:\**\MICROSOFT*\ or C:\MICROSOFT LYNC\, but nothing is working.
Neither is C:\USERS\NAME\APPDATA\LOCAL\CITRIX\GOTOMEETIN\3211\G2MUPLOAD.EXE with C:\**\CITRIX\.
Any thoughts on why this isn't working?
I think there might be a problem if there's a space in the file path, as in PROGRAM FILES (X86). Does anyone know about this issue or how to get around it?
If you want to exclude the hips file: "C:\PROGRAM FILES (86)\MICROSOFT LYNC\UCMAPI.EXE" then you need to write the exclusion like this (following your way above):
But my suggestions are these since you know the directory
In your example without the stars at the end, you are telling it to literally look for and ignore a directory (C:\**\MICROSOFT*\). It doesn't know to keep looking deeper for any files in that directory. This seems to be your problem for the other example well.