Linux scanning exclusions

You can add scanning exclusions for Linux servers.

Warning Think carefully before you add scanning exclusions because doing so may reduce your protection.

Be careful when you set up scanning exclusions as you can increase the risk to your systems and reduce your protection.

Make your scanning exclusions as specific as possible. It's risky to generalize the exclusion to cover more files and directories than you need to.

You can exclude a specific directory or file by its full path. To exclude a directory and all the directories and files below it, add a trailing slash. For example:

  • /mnt/hgfs/excluded excludes the file named excluded.
  • /mnt/hgfs/excluded/ excludes the directory named excluded and all directories and files below it in the filesystem.

    We recommend that you use this exclusion type as specifically as possible.

You can exclude a directory or file in any location. For example:

  • */excluded excludes the file named excluded in any location.
  • excluded/ excludes the directory named excluded in any location and all directories and files below it in the filesystem.

    We recommend that you use this exclusion type as specifically as possible.

Scanning exclusions

You can use the exclusions shown in this table.

Type

Exclusion

Description

Comments

Absolute path to file

/foo/bar/file.name

Example: /foo/bar/eicar.com

Excludes the named file.

Absolute path to directory

/foo/bar/

Excludes everything in the named directory and below.

Be careful if you use this exclusion type as it reduces your protection.

We recommend that you use this exclusion type as specifically as possible. Don't use it to exclude high-level directories.

File name

file.name

Example: eicar.com

Excludes files with this name in any directory.

Excludes /foo/eicar.com, /foo/bar/eicar.com, and /baz/eicar.com.

This matches anywhere on the file system and isn't specific to a location.

Relative path to a file

bar/file.name

Example: /bar/eicar.com

Excludes any path ending with the named directory and file.

Excludes /bar/eicar.com and /foo/bar/eicar.com but not /foo/eicar.com.

This matches anywhere on the file system and isn't specific to a location.

Directory name

bar/

Excludes everything below any directory with this name.

Excludes /foo/bar/, /bar/, and /baz/foo/bar/.

This matches anywhere on the file system and isn't specific to a location.

Be careful if you use this exclusion type as it reduces your protection.

We recommend that you use this exclusion type as specifically as possible. Don't use it to exclude high-level directories.

Relative path to a directory

foo/bar/

Excludes any path containing the named directory.

Excludes foo/bar/ and /baz/foo/bar/.

This matches anywhere on the file system and isn't specific to a location.

Be careful if you use this exclusion type as it reduces your protection.

We recommend that you use this exclusion type as specifically as possible. Don't use it to exclude high-level directories.

File extension

*.fileextension

Example: *.com

Excludes any file with this extension, in any directory.

Excludes eicar.com and eicar.tmp.com, but not eicar.co or eicar.com.tmp.

Be careful if you use this exclusion type as it reduces your protection.

We recommend that you use this exclusion type as specifically as possible.

file name prefix

file nameprefix.*

Example: eicar.*

Excludes any file with this file name prefix, in any directory.

Excludes eicar.foo but not eicar.

Also excludes /foo/eicar.fileextension/bar

Absolute path with file name extension

/directory/*.file nameextension

Example: /lib/*.so

Excludes any file with the named extension under the named directory.

Excludes /lib/foo/bar.so and /lib/foo/bar.so/.

Absolute path with file name prefix

/directory/file nameprefix.*

Example: /lib/libz.*

Excludes any file with the named prefix under the named directory.

Excludes /lib/libz.so and /lib/libz.so.1

Also excludes /tmp/libz.foo/bar.so

Absolute path with directory name suffix

/directory/*.directorynamesuffix/

Example: /lib/*.so/

Excludes any directory with the named suffix under the named path.

Excludes /lib/foo.so/ and /lib/foo/bar.so

Absolute path with directory name prefix

/directory/directorynameprefix.*/

Example: /lib/libz.*/

Excludes any directory with the named prefix under the named path.

Excludes /lib/libz.so/ and /lib/libz.so.1/

Absoloute path with character suffix

/directory/file.?/

Example: /var/log/syslog.?

Excludes any file with the named file name and the named character suffix under the named directory.

Excludes /var/log/syslog.0 and /var/log/syslog.1

Doesn't exclude /var/log/syslog.10

Wildcard path

/directory/*/file.name

Example: /home/*/eicar.com

Excludes any file with the named file name that matches the named directory and wildcard pattern.

Examples

Here are some examples of exclusion expressions.

Expression

Items that are excluded

*/data/report

A file named report in a directory named data in any location

*.txt

Any file whose name ends in .txt in any location

/mnt/hgfs/data/*.txt

Any file whose name ends in .txt in the directory named /mnt/hgfs/data/

*/report??2020

Any file whose name begins with report followed by two characters and ends with 2020 in any location

*/report20??/*

Any directory in any location whose name begins with report20 and ends with two characters, and all directories and files below it in the filesystem

Command line exclusions

You can use the exclusions shown in this table on the command line.

These exclusions are all relative to the current working directory.

Type

Exclusion

Description

Example

File in current directory.

./file.name

Excludes the named file in the current directory.

./eicar.com

$PWD/eicar.com

For example this maps to /home/pair/eicar.com.

Sub-directory of the current working directory

./directory

Excludes the named subdirectory.

./foo/

$PWD/foo/

Path to file from the current working directory

./directory/file.name

Excludes the named file on the named path only.

/.foo/eicar.com

$PWD/foo/eicar.com

Relative path from current working directory

../directory/

Excludes the named directory

../foo/

$PWD/../foo

For example this maps to /home/pair/../foo.