CrowdStrikeintermediate

CrowdStrike Exclusions: Configure File, Folder & Process Exceptions

Configure CrowdStrike Falcon exclusions for files, folders, and processes. Prevent false positives and whitelist applications.

8 min readUpdated January 2026

Want us to handle this for you?

Get expert help →

In some cases, administrators may need to exclude certain files, folders, or processes from CrowdStrike Falcon scanning. This is useful for preventing interference with critical applications, reducing false positives, and optimizing system performance.

This guide explains how to configure file, folder, and process exclusions in CrowdStrike Falcon using the Falcon Console.

Step 1: Log Into the CrowdStrike Falcon Console

  1. Open a browser and go to the CrowdStrike console. There are two possibilities (Will depend on your tenant):

  2. https://falcon.crowdstrike.com.

  3. https://falcon.us-2.crowdstrike.com/

  4. Sign in using your admin credentials.

Step 3: Add Exclusions

File or Folder Exclusions

To exclude a specific file or folder from scanning:

  1. In the left-hand menu, click Endpoint Security > Configure > Exclusions
  2. Select the machine learning exclusions tab
  3. Click Create Exclusion
  4. Select the host group you want to apply the exclusion to, click next
  5. Enter the exclusion pattern
  6. Click Create exclusion
  7. repeat the process on the Sensor Visibility tab
Free Download

The CrowdStrike Falcon Admin Cheat Sheet

Quick-reference commands, pre-built exclusion templates for SQL Server, SCCM, Exchange, and Domain Controllers, plus sensor health check scripts.

CrowdStrike Falcon Cheat SheetCommands, exclusion templates, and health scripts

No spam. Unsubscribe anytime.

Best Practices for Exclusions

  • Use Exclusions Sparingly – Excluding too many files or processes can create security risks.
  • Regularly Review Exclusions – Ensure that old exclusions are still needed.
  • Test Before Applying Globally – Apply exclusions to a test group first before rolling them out to all endpoints.

Frequently Asked Questions

Find answers to common questions

Recommended exclusions in CrowdStrike Falcon include files, folders, or processes that are critical to operations or known to cause false positives, such as legacy application files and essential system processes.

To identify candidates for exclusion, monitor for false positives during scans and review application logs for flagged legitimate applications. Tools like Sysinternals Process Monitor can help track file access and identify conflicting processes.

Once you identify exclusions, follow the outlined steps to exclude these items, document each exclusion, and maintain a change log. Always assess the security risks associated with exclusions before finalizing your decisions.

To test exclusions in CrowdStrike Falcon effectively, follow these steps:

  1. Create a Test Group: Select a small, diverse subset of endpoints representing your environment.

  2. Apply Exclusions: Implement exclusions only for this test group, documenting each exclusion per endpoint.

  3. Monitoring and Logging: Monitor for unusual behavior using CrowdStrike’s logging tools, focusing on previously flagged false positives.

  4. User Feedback: Collect feedback from users in the test group regarding application performance and security concerns after applying exclusions.

  5. Iterate: Adjust exclusions based on monitoring data and user feedback. Refine or explore alternative solutions for persistent issues.

Once confident in the security of the exclusions, roll them out across your environment while continuing to monitor closely.

To effectively review and manage exclusions in CrowdStrike Falcon, follow these best practices:

  1. Scheduled Reviews: Conduct quarterly reviews or after significant changes to your infrastructure to assess the necessity of exclusions.

  2. Review Documentation: Evaluate each exclusion against current operational needs, considering whether they remain critical or if updates have resolved previous conflicts.

  3. Risk Assessment: Assess the risks of removing exclusions and ensure adequate security measures are in place, informed by the latest threat intelligence.

  4. Feedback Loop: Create a mechanism for users to report issues related to exclusions, providing insights into their impact on productivity.

  5. Utilize Reporting Tools: Analyze alert trends using CrowdStrike Falcon’s reporting features to determine the relevance of exclusions.

  6. Engage Stakeholders: Involve IT security teams and application owners to align exclusions with business objectives, ensuring security is not compromised.

These steps help maintain optimal security while managing exclusions effectively.

Need Expert CrowdStrike Management?

Whether you're migrating EDR platforms or need managed detection, our team handles seamless transitions and 24/7 monitoring.

Learn About 24/7 Detection & ResponseExplore EDR Migration & Hardening

Related Articles

CrowdStrike Falcon RBAC Guide: User Roles, Permissions & Least Privilege Access

Complete guide to CrowdStrike Falcon RBAC and user permissions. Configure least privilege access, create SOC analyst roles, manage admin permissions, and troubleshoot access issues.

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure CrowdStrike exclusions for Exchange Server. Protect database files, logs, and processes to ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →
Back to CrowdStrike