Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=exploit-exclusions-advanced

Exploit mitigation or ransomware wildcards and variables

You can use wildcards or variables when you add exclusions for exploit mitigation or ransomware protection.

Using wildcards and variables safely

Be careful if you use wildcards or variables to set up exclusions because they decrease your protection. Make your exclusions as specific as possible. It's risky to generalize the exclusion to cover more files and folders than you need to.

If you want to exclude applications or folders from protection for some users or devices, you can do this using an Endpoint Threat Protection policy. See Threat Protection Policy.

If you want to exclude applications or folders from protection for some servers, you can do this using a Server Threat Protection policy. See Server Threat Protection Policy.

Adding exclusions reduces your protection, so we recommend that you use policies to target users and devices where the exclusion is necessary.

Wildcards

You can use the wildcards shown in this table.

Token Matches
* (Star)

Zero or more of any character except \ or /

For example: c:\foo* matches c:\foo, c:\foobar, c:\foobar.exe
** (Star Star)

Zero or more characters including \ and /, when bracketed by \ or / characters or used at the start or end of an exclusion.

Any other use of a ** is treated as a single * and matches zero or more characters excluding \ and /.

For example:

  • c:\foo\**\bar matches: c:\foo\bar, c:\foo\more\bar, c:\foo\even\more\bar
  • c:\foo\** matches c:\foo\more\bar
? (Question mark)

One single character. If it is at the end of a string it can match zero characters.

For example: c:\foo? matches c:\foo, and c:\foob.
. (Period)

A period or the empty string at the end of a filename, if the pattern ends in a period and the filename does not have an extension.

Note that *. matches all files without an extension.

For example: "foo." matches foo and foo.

Note

At the start of a path only the ** wildcard is supported. You can exclude drives in other ways. For information on how to do this see the list of variables that follows.

Variables

You can use variables when you set up exclusions. Make your variables as specific as possible. It's risky to generalize the exclusion to cover more files and folders that you need to.

Be careful if you use the following variables to set up exclusions as they decrease your protection.

  • $: This excludes your selected application on all available drives from exploit mitigation or ransomware protection.
  • $temp: This excludes C:\Windows\Temp from exploit mitigation or ransomware protection.
  • $appdata: This excludes C:\Users\**\AppData\ from exploit mitigation or ransomware protection.
  • $System32: This excludes C:\Windows\System32\ and C:\Windows\Syswow64\ from exploit mitigation or ransomware protection.
  • $windows: This excludes C:\Windows\ from exploit mitigation or ransomware protection.
  • $profile: This excludes C:\Users\<user>\ from exploit mitigation or ransomware protection..

You can use the variables shown in this table.

Variable Example
$

All available drives.

For example, $\app.exe excludes C:\app.exe, D:\app.exe, and so on.

Be careful if you use this variable to set up exclusions as it reduces your protection.
$admintools

C:\Users\<user>\Administrative Tools

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools

CSIDL_COMMON_ADMINTOOLS
$appdata

C:\Users\<user>\AppData\Local

C:\Users\<user>\AppData\Roaming

CSIDL_COMMON_APPDATA

FOLDERID_LocalAppDataLow

Be careful if you use this variable to set up exclusions as it reduces your protection.
$cache

C:\Users\<user>\Cache

C:\Users\<user>\AppData\Local\Microsoft\Windows\INetCache

CSIDL_INTERNET_CACHE
$clickonce

C:\Users\<user>\AppData\Local\Apps\2.0\17NXGR82.QZW\OM7PJJ9G.3YE\cust...app_234e
$commonprogramfiles

C:\Program Files (x86)\Common Files\

C:\Program Files\Common Files
$contacts

C:\users\<user>\Contacts

FOLDERID_Contacts
$desktop

C:\Users\<user>\Desktop

CSIDL_COMMON_DESKTOPDIRECTORY
$downloads

C:\Users\<user>\Downloads

FOLDERID_Downloads
$favorites

C:\Users\<user>\Favorites
$fonts

C:\Windows\Fonts

C:\Users\<user>\Fonts

CSIDL_FONTS
$links

C:\Users\<user>\Links

FOLDERID_Links
$music

C:\Users\<user>\My Music
$nethood

%USERPROFILE%\Appdata\Roaming\Microsoft\Windows\Network Shortcuts

C:\Users\<user>\NetHood
$personal

C:\Users\<user>\My Documents
$pictures

C:\Users\<user>\My Pictures
$printhood

%USERPROFILE%\Appdata\Roaming\Microsoft\Windows\Printer Shortcuts

C:\Users\<user>\PrintHood
$profile

C:\Users\<user>

Be careful if you use this variable to set up exclusions as it reduces your protection.
$programfiles

C:\Program Files (x86)

C:\Program Files

Be careful if you use this variable to set up exclusions as it reduces your protection.
$programs

%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs

C:\Users\<user>\Programs

CSIDL_COMMON_PROGRAMS
$sendto

%USERPROFILE%\AppData\Roaming\Microsoft\Windows\SendTo

C:\Users\<user>\SendTo
$startmenu

%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu

C:\Users\<user>\StartMenu
$startup

%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

C:\Users\<user>\Startup

CSIDL_COMMON_STARTUP
$system32

C:\Windows\system32

C:\Windows\SysWOW64

Be careful if you use this variable to set up exclusions as it reduces your protection.
$temp

C:\Windows\Temp

%TEMP%

Be careful if you use this variable to set up exclusions as it reduces your protection.
$templates

%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Templates

C:\Users\<user>\Templates
$video

C:\Users\<user>\My Video
$windows

C:\Windows

CSIDL_WINDOWS

Be careful if you use this variable to set up exclusions as it reduces your protection.
$winsxs C:\Windows\winsxs\*\