search

Exclusion rules with an EDR

Managing application flows through exclusion rules is an approach specific to traditional antivirus solutions, but it does not apply to an EDR such as CrowdStrike or SentinelOne.

  1. Difference in operation between antivirus and EDR

  2. Intelligent prevention and reactive exclusion management

  3. Exclusions should not be defined upfront

  4. Conclusion

hashtag
1. Difference in operation between antivirus and EDR

  • Antivirus: proactively scans all dormant files on the system (whether executed or not).

    • This generates a large volume of scans and requires numerous exclusions to avoid false positives on inactive files.

  • EDR (CrowdStrike, SentinelOne): focuses only on files that are actually executed and on dynamic system behaviors (processes, connections, user actions, etc.).

    • No continuous full-disk scanning is performed

    • Inactive files are not analyzed (except during manual scans)

circle-info

⇒ In practice, since an EDR analyzes suspicious behaviors rather than signatures (which is what an antivirus does), excluding a folder from analysis is unnecessary.

⚠️ On the contrary, this would have a negative effect: if suspicious behavior were to occur in that folder, the EDR would not be able to detect it. That being said, this remains technically possible if the need is validated by our SOC team.

hashtag
2. Intelligent prevention and reactive exclusion management

CrowdStrike integrates a set of preventive mechanisms to limit false positives without manual intervention:

  • Preconfigured exclusion lists are automatically applied during deployment

  • In the event of a suspicious detection involving a business application, the program is:

    • Temporarily blocked

    • Then analyzed by our SOC before any definitive action is taken

❗ To avoid potential unwanted business disruptions, full isolation is performed only manually, either after analysis by our SOC team or by you.

hashtag
3. Exclusions should not be defined upfront

Trying to anticipate exclusions before any detection occurs represents a major risk:

  • It amounts to preemptively excluding potentially malicious behaviors simply because they are associated with a known business application

  • Result: you risk neutralizing the EDR’s detection capabilities, allowing certain attacks to go undetected.

👉 At Stoïk, exclusions are handled only in response to a real detection, based on SOC analysis.

hashtag
4. Conclusion

Exclusions in an EDR are far fewer and are applied only when a blocking event has actually occurred. It is neither necessary nor advisable to add “preventive” exclusion rules as you would with a traditional antivirus.

Concrete example: One of our clients (a national retail player) had more than 3,000 workstations and several thousand exclusions in their previous antivirus solution. Once switching to CrowdStrike: no exclusions were required.

PreviousEDR setup: MS DefenderNextDo I need to uninstall the antivirus before the EDR setup?

Last updated

Was this helpful?