Stop detecting an exploit

You can exclude an application from exploit detection, either in response to a detection or in advance of any detection.

You can set exclusions for a specific event, a specific exploit, or all exploits associated with an application.

Stop detecting an exploit that's been detected (using events list)

If an exploit is detected on an application but you're sure the detection is incorrect, you can stop it happening again by using options available in your events list.

This will apply to all your users and computers.

  1. Go to the Computers or Servers page, depending on where the application was detected.
  2. Find the computer where the detection happened and click it to view its details.
  3. On the Events tab, find the detection event and click Details.
  4. In Event details, look for Don't detect this again and select an option:
    • Exclude this Detection ID from checking. prevents this detection on this application. It adds an exclusion for the Detection ID associated with this specific detection. If the same behavior occurs again on your estate, this does not trigger a detection. However, if the behavior is different, for example different paths or files, the Detection ID is different and will therefore require a separate exclusion.
    • Exclude this mitigation from checking this application. prevents any checks for this exploit on this application. This increases the risk of a genuine attack. However, it can be useful where specific business applications generate many unexpected detections.
    • Exclude this application from checking. prevents any checks for any exploits on this application. This carries the most risk and therefore you should only use this as a last resort.

    Try excluding the Detection ID first as that is better targeted. If the same detection happens again, exclude the exploit. If the same detection still happens, exclude the application.

    "Event details", showing a StackExec detection type on an application
  5. Click Exclude.

We'll add your exclusion to a list.

Detection ID exclusions go into the Global Exclusions. Application exclusions go into the Exploit Mitigation Exclusions.

Stop detecting an exploit that's been detected (using policy settings)

If an exploit is detected on an application but you're sure the detection is incorrect, you can stop it happening again by using options available in the threat protection policy.

If you use this method, we'll continue to check for other exploits that affect this application.

  1. In Policies, find the Threat Protection policy that applies to the computers.
  2. Under Settings, find Exclusions and click Add Exclusion.
  3. In the Exclusion Type box, select Detected Exploits (Windows/Mac).
  4. Select the exploit and click Add.
You can also use a policy to stop detecting exploits on all applications of a specific type. To do this, go to the threat protection policy and turn off exploit mitigation (which is under Runtime Protection) for that application type.
Note We don't recommend turning off exploit mitigation.

Stop checking for a specific exploit on an application

If a detection has not occurred for an application but it has been identified that the application needs to be excluded from a specific mitigation, you can proactively stop checking for a specific exploit.

If you use this method, we'll continue to check for other exploits that affect this application.

  1. Go to Global Settings > Global Exclusions.
  2. Click Add Exclusion.
  3. Under Exclusion Type, select Exploit Mitigation (Windows).
  4. In the application list, select the application that you want to exclude.

    If it's not listed, click Application not listed?. Under Exclude Application By Path, enter the full path of the application.

    "Add Exclusion" showing a list of protected applications
  5. Under Mitigations, turn off the mitigation from which you want to exclude the application.
    "Mitigations" showing a list of mitigations that are turned on for the application
  6. Click Add.
  7. Click Save.

Stop checking for all exploits on an application

If an application generates many unexpected exploit detections or it suffers from performance issues when exploit mitigation is turned on, you can stop checking for all exploits on the application.

If you use this method, we won't check the application for exploits, but will still check it for ransomware behavior and for malware.

  1. Go to Global Settings > Global Exclusions.
  2. Click Add Exclusion.
  3. Under Exclusion Type, select Exploit Mitigation (Windows).
  4. In the application list, select the application that you want to exclude.

    If it's not listed, click Application not listed?. Under Exclude Application By Path, enter the full path of the application.

    "Add Exclusion" showing a list of protected applications
  5. Under Mitigations, turn off Protect Application.
    "Mitigations" showing "Protect Application" option
  6. Click Add.
  7. Click Save.