CrowdStrikeintermediate

4 min read

title: CrowdStrike Exclusions: Configure File, Folder & Process Exceptions description: Configure CrowdStrike Falcon exclusions for files, folders, and processes. Step-by-step guide to create exceptions, prevent false positives, and whitelist applications without compromising endpoint security. difficulty: intermediate estimatedReadTime: 8 lastUpdated: January 2025 featured: true faqItems:

  • question: What files or processes should I leave out of CrowdStrike Falcon? answer: >- Recommended exclusions in CrowdStrike Falcon include files, folders, or processes that are critical to operations or known to cause false positives, such as legacy application files and essential system processes.

  • question: How do I find things to exclude in CrowdStrike Falcon? answer: >- To identify candidates for exclusion, monitor for false positives during scans and review application logs for flagged legitimate applications. Tools like Sysinternals Process Monitor can help track file access and identify conflicting processes.

  • question: What do I do after I find exclusions in CrowdStrike Falcon? answer: >- Once you identify exclusions, follow the outlined steps to exclude these items, document each exclusion, and maintain a change log. Always assess the security risks associated with exclusions before finalizing your decisions.

  • question: How can I test exclusions in CrowdStrike Falcon before rolling them out? answer: >- To test exclusions in CrowdStrike Falcon effectively, follow these steps:

    1. Create a Test Group: Select a small, diverse subset of endpoints representing your environment.

    2. Apply Exclusions: Implement exclusions only for this test group, documenting each exclusion per endpoint.

    3. Monitoring and Logging: Monitor for unusual behavior using CrowdStrike’s logging tools, focusing on previously flagged false positives.

    4. User Feedback: Collect feedback from users in the test group regarding application performance and security concerns after applying exclusions.

    5. Iterate: Adjust exclusions based on monitoring data and user feedback. Refine or explore alternative solutions for persistent issues.

    Once confident in the security of the exclusions, roll them out across your environment while continuing to monitor closely.

  • question: >- How often should I check and manage exclusions in CrowdStrike Falcon for best security? answer: >- To effectively review and manage exclusions in CrowdStrike Falcon, follow these best practices:

    1. Scheduled Reviews: Conduct quarterly reviews or after significant changes to your infrastructure to assess the necessity of exclusions.

    2. Review Documentation: Evaluate each exclusion against current operational needs, considering whether they remain critical or if updates have resolved previous conflicts.

    3. Risk Assessment: Assess the risks of removing exclusions and ensure adequate security measures are in place, informed by the latest threat intelligence.

    4. Feedback Loop: Create a mechanism for users to report issues related to exclusions, providing insights into their impact on productivity.

    5. Utilize Reporting Tools: Analyze alert trends using CrowdStrike Falcon’s reporting features to determine the relevance of exclusions.

    6. Engage Stakeholders: Involve IT security teams and application owners to align exclusions with business objectives, ensuring security is not compromised.

    These steps help maintain optimal security while managing exclusions effectively. heroImage: "https://images.unsplash.com/photo-1560264280-88b68371db40?w=1200&h=630&fit=crop"

In some cases, administrators may need to exclude certain files, folders, or processes from CrowdStrike Falcon scanning. This is useful for preventing interference with critical applications, reducing false positives, and optimizing system performance.

This guide explains how to configure file, folder, and process exclusions in CrowdStrike Falcon using the Falcon Console.

Step 1: Log Into the CrowdStrike Falcon Console

  1. Open a browser and go to the CrowdStrike console. There are two possibilities (Will depend on your tenant):
  2. Sign in using your admin credentials.

Step 3: Add Exclusions

File or Folder Exclusions

To exclude a specific file or folder from scanning:

  1. In the left-hand menu, click Endpoint Security > Configure > Exclusions
  2. Select the machine learning exclusions tab
  3. Click Create Exclusion
  4. Select the host group you want to apply the exclusion to, click next
  5. Enter the exclusion pattern
  6. Click Create exclusion
  7. repeat the process on the Sensor Visibility tab

Best Practices for Exclusions

Use Exclusions Sparingly – Excluding too many files or processes can create security risks.
Regularly Review Exclusions – Ensure that old exclusions are still needed.
Test Before Applying Globally – Apply exclusions to a test group first before rolling them out to all endpoints.

Need Professional Help?

Our team of experts can help you implement and configure these solutions for your organization.

Contact Our TeamView Our Services

Related Articles

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure essential CrowdStrike exclusions for Microsoft Exchange Server. Protect database files, transaction logs, and processes to prevent corruption and ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →
Back to CrowdStrike