Scan Exclusion Settings for Mac

Configure scan exclusions to increase the scanning performance and skip the scanning of files that are known to be harmless. When a particular scan type runs, Core Protection Module for Mac checks the scan exclusion list to determine which files to exclude from scanning.

Scan Exclusion List

Files: Core Protection Module for Mac does not scan a file if:
- The file's directory path is the same as the path specified in the scan exclusion list.
- The file matches the full file path (directory path and file name) specified in the scan exclusion list.
File Extensions: Core Protection Module for Mac does not scan a file if the file extension matches any of the extensions included in the exclusion list.

Scan Exclusion Lists (Files)

Administrators must follow specific criteria when configuring the file exclusion list.

Core Protection Module for Mac supports a maximum of 64 file exclusions.
Administrators cannot only type a file name. Core Protection Module for Mac requires a full file path.
Administrators must type properly formatted paths.

Examples:

Full file path: excludes a specific file.
- Example 1: /file.log
- Example 2: /System/file.log
Directory path: excludes all files located on a specific folder and all subfolders.
- Example 1: /System/
  - Examples of files excluded from scans:
    - /System/file.log
    - /System/Library/file.log
- Example 2: /System/Library
  - Examples of files excluded from scans:
    - /System/Library/file.log
    - /System/Library/Filters/file.log
- Examples of files that Core Protection Module for Mac scans:
  - /System/file.log

Use the asterisk wildcard (*) in place of folder names. See the examples below.

Full file path: /Users/Mac/*/file.log
- Examples of files excluded from scans:
  - /Users/Mac/Desktop/file.log
  - /Users/Mac/Movies/file.log
- Examples of files that Core Protection Module for Mac scans:
  - /Users/file.log
  - /Users/Mac/file.log
Directory path:
- Example 1: /Users/Mac/*
  - Examples of files excluded from scans:
    - /Users/Mac/doc.html
    - /Users/Mac/Documents/doc.html
    - /Users/Mac/Documents/Pics/pic.jpg
  - Examples of files that Core Protection Module for Mac scans:
    - /Users/doc.html
- Example 2: /*/Components
  - Examples of files excluded from scans:
    - /Users/Components/file.log
    - /System/Components/file.log
  - Examples of files that Core Protection Module for Mac scans:
    - /file.log
    - /Users/file.log
    - /System/Files/file.log

Note: Core Protection Module for Mac does not support partial matching of folder names. For example, administrators cannot type /Users/*user/temp to exclude files on folder names ending in user, such as end_user or new_user.

Configure Scan Exclusion Lists

From the IBM BigFix Console, click Endpoint Protection on the lower-left pane.
From the upper-left navigation pane, go to Core Protection Module > Configuration > Scan Exclusion Settings for Mac > Scan Exclusion Settings. The Scan Exclusion Settings for Mac wizard opens.
Select the Enable scan exclusions check box.
Select Exclude Trend Micro directories (reduce false positives).
Select Exclude BigFix directories (improves performance).
To configure the Scan Exclusion List for files:
1. Type a full file path or directory path and click E.
2. To delete a path, select the file path and click Remove Selected Item.
To configure the Scan Exclusion List (File Extensions):
1. Type a file extension without a period (.) and click Add. For example, type pdf.
  Note: Core Protection Module for Mac supports a maximum of 64 file extension exclusions.
2. To delete a file extension, select the extension and click Remove Selected Item.
Click Create Configuration Task.... The Create Task screen opens.
Type a name for the task or accept the default name. Click OK. The Take Action screen appears.
In the Target tab, a list of endpoints that are running the CPM for Mac client opens.
Select all applicable computers and then click OK.
In the Action | Summary window that opens, monitor the "Status" and "Count" of the Action to confirm that it is "Running" and then "Completed."