Managing Exclusions
Exclusions tell Bamboozle EDR to ignore specific files, folders, processes, or websites that you know are safe. Properly configured exclusions reduce false positives without weakening your security posture.
When to add an exclusion
Add an exclusion when:
- A legitimate business application is repeatedly flagged as suspicious
- An IT management or monitoring tool triggers alerts due to its normal behaviour
- A developer tool such as a debugger or code analysis tool is being detected
Do not add exclusions for files or processes you cannot verify as safe. If in doubt, contact Bamboozle Support before adding an exclusion.
Types of exclusions
| Type | What it excludes |
|---|---|
| File or folder | A specific file path or directory |
| Process | A specific executable by name or path |
| Hash | A specific file identified by its cryptographic hash |
| Website | A specific URL or domain from web filtering |
Adding an exclusion from an alert
The easiest way to add an exclusion is directly from a false positive alert:
- Open the alert in Monitoring then Alerts.
- Review the process tree to confirm the activity is legitimate.
- Click Actions then Add exclusion.
- Select the type of exclusion — file, process, or hash.
- Review the details and confirm.
[SCREENSHOT: Add exclusion option in alert detail view]
Managing exclusions in the protection plan
Exclusions can also be managed centrally in your protection plan so they apply to all devices covered by that plan:
- Click Plans in the left sidebar.
- Select the protection plan you want to edit.
- Click Edit plan.
- Scroll to the Exclusions section.
- Click Add exclusion and configure the type, value, and scope.
- Click Save.
[SCREENSHOT: Exclusions section in the protection plan editor]
Exclusion best practices
- Be as specific as possible. Exclude a specific file path rather than an entire folder where possible.
- Use hashes for critical exclusions. A file hash uniquely identifies a specific version of a file, so even if malware replaces the file with a different version, the exclusion will not apply.
- Review exclusions regularly. Remove exclusions that are no longer needed, for example if a software vendor releases an update that resolves the false positive.
- Document your exclusions. Keep a record of why each exclusion was added so future team members understand the reasoning.
Viewing existing exclusions
To see all current exclusions:
- Click Plans and select the relevant protection plan.
- Click Edit plan and scroll to Exclusions.
- All current exclusions are listed with their type, value, and the date they were added.
[SCREENSHOT: Exclusions list in the protection plan]
Removing an exclusion
- Go to the exclusions list as described above.
- Find the exclusion you want to remove.
- Click the delete icon next to it.
- Click Save to apply the change.
Removing an exclusion means EDR will start detecting that file, process, or website again. If it was a genuine false positive, the alerts will resume. If you are unsure, leave the exclusion in place and contact Bamboozle Support.