How to Configure Exclusions in CrowdStrike Falcon

2 February 11, 2025

In some cases, administrators may need to exclude certain files, folders, or processes from CrowdStrike Falcon scanning. This is useful for preventing interference with critical applications, reducing false positives, and optimizing system performance.

This guide explains how to configure file, folder, and process exclusions in CrowdStrike Falcon using the Falcon Console.

Step 1: Log Into the CrowdStrike Falcon Console

  1. Open a browser and go to https://falcon.crowdstrike.com.
  2. Sign in using your admin credentials.

Step 2: Navigate to Exclusions

  1. In the left-hand menu, click Configuration > Prevention Policies.
  2. Select the policy group where you want to add exclusions (e.g., Standard Policy, High Security, or a custom group).
  3. Click Edit Policy to modify the settings.

Step 3: Add Exclusions

File or Folder Exclusions

To exclude a specific file or folder from scanning:

  1. Click Add Exclusion > Files/Folders.
  2. Enter the full path of the file or folder. Example:
    • Windows: C:\Program Files\ExampleApp\
    • macOS: /Applications/ExampleApp/
    • Linux: /usr/local/bin/exampleapp/
  3. Select whether to exclude on-access scanning, on-write scanning, or both.
  4. Click Save.

Process Exclusions

To exclude a specific process:

  1. Click Add Exclusion > Processes.
  2. Enter the full path to the process. Example:
    • Windows: C:\Program Files\ExampleApp\example.exe
    • macOS: /Applications/ExampleApp.app/Contents/MacOS/example
    • Linux: /usr/local/bin/exampleapp
  3. Click Save.

Certificate Exclusions

To exclude files signed by a specific certificate:

  1. Click Add Exclusion > Certificates.
  2. Upload the certificate file (.cer, .pem, .crt) or enter the certificate hash.
  3. Click Save.

Step 4: Apply and Test Exclusions

  1. Click Save and Apply Policy to enforce the changes.
  2. Restart affected endpoints if necessary.
  3. Verify that the exclusions are working by checking logs in Falcon Console > Activity > Detection Summary.

Best Practices for Exclusions

Use Exclusions Sparingly – Excluding too many files or processes can create security risks.
Regularly Review Exclusions – Ensure that old exclusions are still needed.
Test Before Applying Globally – Apply exclusions to a test group first before rolling them out to all endpoints.