> For the complete documentation index, see [llms.txt](https://docs.stoik.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.stoik.io/stoik-mdr/edr-setup-overview/exclusion-rules-with-an-edr.md). # Exclusion rules with an EDR Managing application flows through exclusion rules is an approach specific to traditional antivirus solutions, but it does **not** apply to an EDR such as **CrowdStrike** or **SentinelOne**. ## Difference in operation between antivirus and EDR * **Antivirus:** proactively scans all dormant files on the system (whether executed or not). This generates a large volume of scans and requires numerous exclusions to avoid false positives on inactive files. * **EDR (CrowdStrike, SentinelOne):** focuses only on files that are actually executed and on dynamic system behaviors (processes, connections, user actions, etc.). No continuous full-disk scanning is performed; inactive files are not analyzed except during manual scans. {% hint style="info" %} Since an EDR analyzes **suspicious behaviors rather than signatures**, excluding a folder from analysis is unnecessary. {% endhint %} {% hint style="warning" %} Excluding a folder would have a negative effect: if suspicious behavior were to occur in that folder, the EDR would not be able to detect it. That said, this remains technically possible if the need is validated by our SOC team. {% endhint %} ## Intelligent prevention and reactive exclusion management CrowdStrike integrates a set of preventive mechanisms to limit false positives without manual intervention: * Preconfigured exclusion lists are automatically applied during deployment. * In the event of a suspicious detection involving a business application, the program is temporarily blocked, then analyzed by our SOC before any definitive action is taken. {% hint style="warning" %} To avoid potential unwanted business disruptions, full isolation is performed **only manually**, either after analysis by our SOC team or by you. {% endhint %} ## Exclusions should not be defined upfront Trying to anticipate exclusions before any detection occurs represents a major risk: * It amounts to preemptively excluding potentially malicious behaviors simply because they are associated with a known business application. * **Result:** you risk neutralizing the EDR's detection capabilities, allowing certain attacks to go undetected. At **Stoïk**, exclusions are handled **only in response to a real detection**, based on SOC analysis. ## Conclusion Exclusions in an EDR are far fewer and are applied **only when a blocking event has actually occurred**. It is neither necessary nor advisable to add "preventive" exclusion rules as you would with a traditional antivirus. **Concrete example:** One of our clients (a national retail player) had more than 3,000 workstations and several thousand exclusions in their previous antivirus solution. After switching to CrowdStrike, no exclusions were required. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.stoik.io/stoik-mdr/edr-setup-overview/exclusion-rules-with-an-edr.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.