The feature's intended use is for process names, not their paths.
The concern about malware is valid but VSE's functionality is not meant to be as encompassing as the Host Intrusion Prevention product, which is the better choice for accomplishing what you're looking for.
Still, you can specify full paths in process exclusions for VSE's AP rules if you want to, but we can't guarantee it'll consistently work. The problem is "Full path" information isn't always available to us at the moment the AP rule is being evaluated, so your mileage may vary. Again, HIPS is the proper soution to use for that usage scenario.