How do I exclude specific executable files from being blocked by Memory Protection?

Users are able to exclude executable files from Memory Protection by specifying the relative path of the file. This will allow the specified files to run or be installed on any device within that policy.

Go to the Cylance Console and click on Settings, Device Policy, Create a New Policy, or select one from the list. In the Device Policy, go to the Memory Actions tab, check the box for Exclude executable file and add in the exclusion(s).

After applying the exclusion, all instances of that process must be terminated in order to stop the driver from injecting into it.

If a device policy with memory exclusions is applied, please be aware that exclusions may not apply to the targeted process if the process is already injected in to by memory protection. If an exclusion may seem to not be functioning as expected, closing and re-opening of the application may be needed to clear any memory injection. A machine reboot would also suffice to clear any memory injection, and would also cause the PROTECT Agent to update to the latest assigned device policy.

Exclusions for macOS/Mac OS X and Linux must be specified using the relative path of the executable file (exclude the drive letter from the path). Windows exclusions can be specified using the relative path of the executable file or the absolute file path.

  • Windows Example:¬†\Application\SubFolder\application.exe
  • Windows Example:¬†C:\Application\SubFolder\application.exe
  • macOS Example (without spaces):¬†/Applications/SampleApplication.app/Contents/MacOS/executable
  • macOS Example (with¬†spaces):¬†/Applications/Sample¬†Application.app/Contents/MacOS/executable
  • macOS Example (Dynamic Library Files):¬†/executable.dylib
  • Linux Example:¬†/opt/application/executable
  • Linux Example (Dynamic Library Files):¬†¬†/executable.dylib
Incorrect Examples: 
  • Incorrect Example (macOS and Linux):¬†C:\Application\SubFolder\application.exe
  • Incorrect Example (All OS's):¬†\Application\SubFolder\

Memory exclusions must have the executable at the end of the relative path.
In the case where variable folder names exist (i.e. \Users\jdoe\app\run.exe) a relative path exclusion of: ( \app\run.exe ) will be sufficient. Please note: This will exclude any "run.exe" executables inside of a folder named app so use shortened relative path exclusions with caution.
 

User-added image

About Excluding Network Paths:

Because Memory Protection Exclusions use a relative path, it is possible to exclude files on a network drive. Do not use the full network path for the exclusion.

  • Correct (Network): \application\folder\app.exe
  • Incorrect (Network): \\server\application\folder\app.exe

Using Wildcards in Exclusions

Memory exclusions can include the following special characters (all OS):
^ & ' @ { } [ ] , $ = ! - # ( ) % . + ~ _

On Windows, the following additional special characters are also supported:
  • Asterisk (*)¬†
  • Any letter value followed by colon (C:)

Pattern Syntax for * Wildcard on Windows

Characters Usage Details
*






 
Excluding executables and applications.



 
Matches zero or more characters, except the platform-specific path separator ('/' on macOS/Linux, '\' on Windows).
Note: At this time, "*" escaping is not supported. For example, you cannot exclude a file that contains an asterisk "*" in the file name.
Note: Wildcard exclusions for Memory Protection apply only to Windows at this time.
**












 
Excluding drives and directories. Can be used to include child directories.







 
Matches zero or more layers of a directory (e.g. "\**\") but does not match the boundary path separator.
Note that "**" is not just a double "*", it is a special notation. To avoid confusion, review the following rules when using this special character:
  • "**\" is valid if it is at the beginning of pattern, only for Windows. It will match all directories inside all drives.
  • "\**\" can appear in the pattern string multiple times, there is no limitation.
Note: Wildcard exclusions for Memory Protection apply only to Windows at this time.
Examples


















































































 
N/A


















































































 
For the following path:
C:\Application\TestApp\MyApp\program.exe (note that relative paths could also be used)
 
Examples of Correct Exclusions:
  • \Application\TestApp\MyApp\program.exe
    • Relative path exclusion without any wildcards.
  • C:\Application\**\MyApp\program.exe
    • Would exclude program.exe as long as program.exe is located under "MyApp" child directory in C: drive.
  • C:\Application\**\MyApp\*.exe
    • Would exclude any .exe extension file as long as the executable is located under "MyApp" child directory in C: drive.
  • C:\Application\**\MyApp\*
    • Would exclude any executable as long as the executable is located under "MyApp" child directory in C: drive.
  • C:\Application\TestApp\**\program.exe
    • Would exclude program.exe as long as program.exe is located under any child directory that belongs to "TestApp" parent directory in C: drive.
  • **\Application\TestApp\MyApp\program.exe
    • Would exclude program.exe as long as program.exe is located under \Application\TestApp\MyApp\ for any drive.
  • **\Application\TestApp\MyApp\*.exe
    • Would exclude any .exe extension file as long as the executable is located under \Application\TestApp\MyApp\ for any drive.
  • **\Application\TestApp\MyApp\*
    • Would exclude any executable as long as the executable is located under \Application\TestApp\MyApp\ for any drive.
Example of Incorrect Exclusions:
  • C:\Application\TestA**.exe
    • "**" is used for directories. Use a single asterisk "*" for executables.
  • C:\Application\**
    • "**" is used for directories. There is no single asterisk "*" specifying executables to exclude.
Not Recommended Exclusions:
  • Correct (but not recommended): C:\**\*
    • Would effectively exclude anything in any directory (including child directories) under the C: drive.
  • Correct (but not recommended): **\*
    • Would effectively exclude anything in any directory (including child directories) in any drive.
Note: In a normal wildcard, three asterisks "***" are valid and equal a single asterisk"*". However, three asterisks are not valid for exclusions because it would hide typos. For example, in the pattern "C:\***.exe", users might have wanted to type "c:\**\*.exe" but missed one "\". If "***" were treated as a single "*" it could result in different behavior than was intended.

If you'd like to add Exclusions for Protection Settings, please refer to How to Exclude Specific Folders