AV and EDR Exclusions

1 — Why exclusions are required

The We360.ai agent performs activity monitoring through input hooks, screenshot capture, and accessibility APIs. These behaviors are functionally indistinguishable from the techniques used by spyware and trojans, which means heuristic and behavioral detection engines will flag, quarantine, or block the agent without properly scoped exclusions.

Configure all exclusions and deploy all MDM profiles before installing the agent. The most common deployment failure pattern is installing the monitoring agent first, having the AV quarantine critical components, then retroactively adding exclusions that cannot restore corrupted files. Always follow this sequence: configure exclusions in your enterprise AV console → push to endpoints → verify policy application → then deploy the monitoring agent. Test on a pilot group of 10–20 devices for 48–72 hours before broad rollout (see Section 9 for the full deployment checklist).

2 — We360.ai agent inventory

2.1 Windows Standard mode — file paths and processes

Exclude the entire folder where possible. Fall back to individual file exclusions only if the AV product does not support folder-level exclusions.

2.2 Windows Stealth mode — file paths and processes

Exclude the entire folder where possible. Fall back to individual file exclusions only if the AV product does not support folder-level exclusions.

Security note: The stealth-mode watchdog (svcmonitor.exe) and service host (svcrunner.exe) reside in C:\Windows\, which is a sensitive path. Do not broadly exclude C:\Windows\ — add process-level or exact-path exclusions for these two files only.

2.3 macOS Standard mode — paths, bundle ID, and code signing identity

2.4 macOS Stealth mode — paths, bundle ID, and code signing identity

Both modes share the same Team ID (5KPT5U8WVR). This means a single System Extensions MDM profile can cover both, but PPPC profiles must reference each bundle identifier individually.

2.5 macOS code signing reference

Use this block as the verified code requirement in all PPPC / TCC configuration profiles. It was extracted from live binaries via codesign --display --requirements -.

To re-verify at any time:

3 — CrowdStrike Falcon

Official documentation:

• ML Exclusions: https://falcon.crowdstrike.com/documentation/41/ml-exclusions (login required) / API: https://www.falconpy.io/Service-Collections/Ml-Exclusions.html

• IOA Exclusions: https://falcon.crowdstrike.com/documentation/73/ioa-exclusions (login required)

• Sensor Visibility Exclusions API: https://www.falconpy.io/Service-Collections/Sensor-Visibility-Exclusions.html

• IOC Management API: https://www.falconpy.io/Service-Collections/IOC.html

• PSFalcon PowerShell module: https://github.com/CrowdStrike/psfalcon

• Exclusion walkthrough: https://support.redcanary.com/hc/en-us/articles/4413344754071-How-to-Create-Exclusions-in-CrowdStrike

4.1 ML exclusions — Windows (recommended first step)

ML exclusions prevent CrowdStrike's machine-learning static analysis from flagging the We360.ai binaries.

1. Log into Falcon Console → Configuration › Detections Management › Exclusions

2. Select Machine Learning Exclusions tab → Create Exclusion

3. Set scope to the appropriate host group (or "All hosts" if deploying org-wide)

4. Excluded from: Detections and Preventions

5. Add the following patterns (one exclusion per pattern):

Standard mode:

Stealth mode:

1. Use Pattern test to validate → add an audit comment (e.g., "We360.ai monitoring agent — ticket INC-12345") → Create

4.2 ML exclusions — macOS

Same console workflow as 4.1. CrowdStrike ML exclusions use forward-slash paths for macOS.

Standard mode:

Stealth mode:

Path syntax matters: macOS exclusions are case-sensitive and must use /. Windows exclusions are case-insensitive and use \. CrowdStrike will reject incorrectly formatted paths.

4.3 IOA exclusions (if behavioral alerts persist)

If the ML exclusion resolves file-based detections but CrowdStrike still generates behavioral/IOA alerts (e.g., for process injection or screenshot capture), add IOA exclusions:

1. Same console path → IOA Exclusions tab → Create IOA Exclusion

2. Set the triggering detection (match the exact rule ID from the alert)

3. Image Filename regex:

   • Windows standard: .*\\MyZenV2\.exe

   • Windows stealth: .*\\MyZenV2s\.exe

   • macOS standard: .*/MyZenV2

   • macOS stealth: .*/zs

4. Scope to applicable groups → Create

4.4 Sensor Visibility exclusions

Only use these if ML + IOA exclusions are insufficient.

1. Same console path → Sensor Visibility Exclusions tab

2. Add paths:

   • Windows: C:\Program Files\Zenstack\MyZenV2\ or C:\Program Files\zs\zs\

   • macOS: /Applications/MyZenV2.app/ or /usr/local/zs/zs.app/

4.5 Custom IOC — hash-based (suppress detections)

1. Navigate to Threat Intelligence › IOC Management › Add IOC

2. Type: SHA-256 → Paste the hash of the specific binary

3. Action: No Action → Platforms: Windows and/or macOS → Expiration: set to align with next agent update cycle

4. Repeat for each binary

Collect hashes:

Windows (PowerShell):

macOS (Terminal):

4.6 Domain/URL IOC — suppress network detections

1. Threat Intelligence › IOC Management › Add IOC

2. Type: Domain → Value: We360.ai→ Action: No Action → Platforms: Windows, macOS

3. Repeat for other domains listed in the Allowlist Guide.

Note: Domain IOCs support "Detect Only" and "No Action" only. There is no "Allow" action for domain indicators.

4.8 Automation (PSFalcon)

PSFalcon module: https://github.com/CrowdStrike/psfalcon — note that PSFalcon 2.2.0+ uses -GroupId (singular) as the primary parameter name; -GroupIds is retained as an alias.

Note: The ValidateSet accepts two values: "blocking" (ML detection/prevention) and "extraction" (file upload to CrowdStrike cloud); @("blocking","extraction") is often the appropriate choice to also prevent sample uploads.

4.9 Propagation

Exclusions take up to 40 minutes to reach all sensors (both Windows and macOS). Allow this window before deploying the We360.ai agent to target hosts.

4 — Microsoft Defender (Antivirus + Defender for Endpoint)

Official documentation:

• Add-MpPreference: https://learn.microsoft.com/en-us/powershell/module/defender/add-mppreference

• File/folder exclusions: https://learn.microsoft.com/en-us/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus

• Process exclusions: https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus

• Custom exclusions overview: https://learn.microsoft.com/en-us/defender-endpoint/configure-exclusions-microsoft-defender-antivirus

• macOS exclusions: https://learn.microsoft.com/en-us/defender-endpoint/mac-exclusions

• Intune AV policy: https://learn.microsoft.com/en-us/intune/intune-service/protect/endpoint-security-antivirus-policy

• Policy CSP (OMA-URI): https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender

• Custom indicators: https://learn.microsoft.com/en-us/defender-endpoint/indicator-ip-domain

• Advanced features: https://learn.microsoft.com/en-us/defender-endpoint/advanced-features

• ASR exclusions: https://learn.microsoft.com/en-us/defender-endpoint/enable-attack-surface-reduction

• Controlled Folder Access: https://learn.microsoft.com/en-us/defender-endpoint/customize-controlled-folders

• Tamper Protection: https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection

5.1 Windows — Antivirus exclusions (path and process)

These prevent Defender Antivirus from scanning We360.ai files and processes. They apply to real-time, scheduled, and on-demand scans.

PowerShell (run elevated):

CAUTION: Use Add-MpPreference (appends). Set-MpPreference replaces the entire exclusion list and will remove all existing exclusions. See: https://learn.microsoft.com/en-us/powershell/module/defender/add-mppreference

Validate an exclusion:

5.2 macOS — Defender for Endpoint exclusions

Microsoft Defender for Endpoint on macOS uses the mdatp CLI and MDM-deployed plist preferences. See: https://learn.microsoft.com/en-us/defender-endpoint/mac-exclusions

CLI method (run as root or with sudo):

5.4 Windows — Intune / Endpoint Manager

Endpoint Security › Antivirus › Create Policy:

• Platform: Windows

• Profile: Microsoft Defender Antivirus Exclusions

• Excluded Paths (Folders):

  • C:\Program Files\Zenstack\MyZenV2

  • C:\Program Files\zs\zs

• Excluded Processes:

  • C:\Program Files\Zenstack\MyZenV2\MyZenV2.exe

  • C:\Program Files\zs\zs\MyZenV2s.exe

  • C:\Windows\svcmonitor.exe

  • C:\Windows\svcrunner.exe

Assign the policy to the device group that will run We360.ai.

OMA-URI (custom CSP) paths:

See: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender

5.5 Defender for Endpoint — URL/domain indicators (Windows + macOS)

AV exclusions do not cover Defender's network protection or web content filtering layers. If Defender for Endpoint is in use, create Allow indicators for We360.ai domains:

1. Microsoft Defender portal (security.microsoft.com) → Settings › Endpoints › Rules › Indicators › URLs/Domains

2. Add Indicator → URL/Domain: *.we360.ai → Action: Allow → Scope: Org-wide or device group → Title: "We360.ai agent communication" → Save

3. Repeat for portal.we360.ai, api.in.we360.ai, auth.in.we360.ai, assets.we360.ai, assets.v2.we360.ai, origin.in.we360.ai, origin.global.we360.ai

Prerequisite: Custom Network Indicators must be enabled under Settings › Endpoints › Advanced Features. Indicators apply to both Windows and macOS endpoints enrolled in MDE. See: https://learn.microsoft.com/en-us/defender-endpoint/advanced-features

5.6 Windows — Attack Surface Reduction (ASR) rule exclusions

If ASR rules block We360.ai behaviors:

See: https://learn.microsoft.com/en-us/defender-endpoint/enable-attack-surface-reduction

5.7 Windows — Controlled Folder Access

If Controlled Folder Access is enabled and We360.ai needs to write to protected folders:

See: https://learn.microsoft.com/en-us/defender-endpoint/customize-controlled-folders

5 — SentinelOne

Official documentation:

• SentinelOne Exclusions training: https://university.sentinelone.com/courses/exclusions-and-allow-rules (login required)

• Whitelisting and Blacklisting solution brief: https://www.sentinelone.com/wp-content/uploads/2017/06/SentinelOne-Whitelisting-and-Blacklisting.pdf

• Community KB — Exclusion types: https://community.sentinelone.com/s/article/000006818 (login required)

• Path exclusion best practices: https://support.guardz.com/en/articles/10807589-best-practices-for-sentinelone-exclusions

6.1 Choosing the right exclusion mode

SentinelOne offers five graduated exclusion modes. For We360.ai, start with Interoperability and escalate only if conflicts persist.

6.2 Path exclusions — Windows

The SentinelOne console has two UI experiences. The legacy layout uses Sentinels › Exclusions; the newer unified layout uses Settings › Policy › Exclusions. The steps below apply to both; adjust navigation to match your console version.

1. Navigate to the Exclusions page (see note above)

2. Click New Exclusion → Type: Path → OS: Windows

Standard mode:

• Path: C:\Program Files\Zenstack\MyZenV2\

• Include Subfolders: Yes

• Mode: Suppress Alerts (start here)

Stealth mode:

• Path 1: C:\Program Files\zs\zs\ — Include Subfolders: Yes

• Path 2: C:\Windows\svcmonitor.exe — exact file

• Path 3: C:\Windows\svcrunner.exe — exact file

1. Scope: Global, Site, or Group as appropriate

2. Add description: "We360.ai monitoring agent — [ticket number]"

3. Save → Allow ~5 minutes for propagation

If using Interoperability or Performance Focus modes: Restart endpoints after applying the exclusion for the mode change to take effect.

6.3 Path exclusions — macOS

1. New Exclusion → Type: Path → OS: macOS

Standard mode:

• Path: /Applications/MyZenV2.app/

• Include Subfolders: Yes

• Mode: Suppress Alerts

Stealth mode:

• Path: /usr/local/zs/zs.app/

• Include Subfolders: Yes

1. Scope → Description → Save

6.4 Hash exclusions (most precise)

1. Navigate to the Exclusions page → Hash exclusion type

2. Click New Exclusion → enter SHA-1 hash of the target binary

3. OS: Windows or macOS → Description → Scope → Save

Note: SentinelOne hash exclusions use SHA-1, not SHA-256. This applies to both exclusions and blocklist entries. The SentinelOne API endpoints use /hashes/{sha1}/ format.

Collect SHA-1 hashes:

Windows:

macOS:

6.5 Certificate-based exclusions (recommended for long-term)

Certificate exclusions survive agent updates without requiring path or hash changes — the most maintenance-free option. SentinelOne's solution brief lists five exclusion types: hash value, path, signer certificate identity, file type, and browser type.

1. Navigate to the Exclusions page → Certificate exclusion type

2. Enter the signer identity. For We360.ai, the relevant value from the code signature is the Organizational Unit:

   • OU: 5KPT5U8WVR

   • Signer: Retrieve the full CN from: codesign -dvvv /Applications/MyZenV2.app 2>&1 | grep "Authority"

3. Scope → Save

This single certificate exclusion covers all We360.ai binaries across both standard and stealth modes on both Windows and macOS (they share Team ID 5KPT5U8WVR).

6 — Zscaler (ZIA + ZCC)

Official documentation:

• URL Allowlisting: https://help.zscaler.com/zia/adding-urls-allowlist

• Custom URL Categories: https://help.zscaler.com/zia/configuring-custom-url-categories

• SSL Inspection Policy: https://help.zscaler.com/zia/configuring-ssl-inspection-policy

• SSL bypass for specific URLs: https://help.zscaler.com/zia/skipping-inspection-traffic-specific-urls-or-cloud-apps

• ZCC App Bypass: https://help.zscaler.com/zscaler-client-connector/adding-process-based-applications-bypass-traffic

• ZCC App Profiles: https://help.zscaler.com/zscaler-client-connector/configuring-zscaler-client-connector-app-profiles

• Z-Tunnel 2.0 bypasses: https://help.zscaler.com/zscaler-client-connector/best-practices-adding-bypasses-z-tunnel-2.0

7.1 ZIA — URL allowlisting

We360.ai agent traffic must bypass Zscaler Internet Access inspection to avoid connection failures and SSL errors. These rules apply to traffic from both Windows and macOS endpoints.

Option A — Global URL Allowlist (fastest):

1. ZIA Admin Portal → Administration › URL Categories

2. Locate the pre-defined "Allowlist" entry and click the pencil/edit icon to open it

3. Add: *.we360.ai, *.in.we360.ai

4. Click Save → Activate Changes

Note: "Allowlist" is not a separate sub-menu — it is an editable pre-defined entry within the URL Categories list. See: https://help.zscaler.com/zia/adding-urls-allowlist

Option B — Custom URL Category + Allow Rule (more granular):

1. Administration › URL Categories › Add URL Category

2. Name: "We360.ai Monitoring Agent"

3. URLs: *.we360.ai, portal.we360.ai, api.in.we360.ai, auth.in.we360.ai, assets.we360.ai, assets.v2.we360.ai, origin.in.we360.ai, origin.global.we360.ai

4. Save → Policy › URL & Cloud App Control › Add Rule

5. URL Categories: select "We360.ai Monitoring Agent" → Action: Allow → Save → Activate Changes

See: https://help.zscaler.com/zia/configuring-custom-url-categories

7.2 ZIA — SSL Inspection bypass

The We360.ai agent may use certificate pinning or custom TLS behavior that breaks under SSL inspection:

1. Policy › SSL Inspection › Add Rule

2. Name: "We360.ai SSL Bypass"

3. Action: Do Not Decrypt

4. URL Categories: select "We360.ai Monitoring Agent"

5. Define scope → Save → Activate Changes

Important: The correct action name is "Do Not Decrypt" (API value: DO_NOT_DECRYPT), not "Do Not Inspect." ZIA still processes unencrypted traffic metadata — the bypass only skips TLS decryption. See: https://help.zscaler.com/zia/configuring-ssl-inspection-policy

7.3 ZCC — Application bypass (process-based)

If Zscaler Client Connector tunnels We360.ai traffic and causes connection issues:

1. ZCC Portal › App Profiles › [Profile] › Traffic Steering

2. Under App and IP Bypass, add:

Windows: MyZenV2.exe, MyZenV2s.exe, updater.exe, svcrunner.exe, svcmonitor.exe

macOS (use bundle identifiers): ai.we360.MyZenV2, ai.zs.zs

1. Save → republish the app profile

macOS note: ZCC on macOS supports both process name and bundle identifier for app bypass rules. Bundle identifiers are preferred because they uniquely identify the app regardless of the executable name. On macOS, bundle identifier-based bypasses are deployed via MDM configuration profiles (Jamf Pro, Intune) using the VPN payload format <TeamID>.<BundleID> (e.g., 5KPT5U8WVR.ai.we360.MyZenV2), not directly through the ZCC portal UI. See: https://help.zscaler.com/zscaler-client-connector/deploying-zscaler-client-connector-jamf-pro-macos

7 — Symantec Endpoint Protection (Broadcom SEP)

Official documentation:

• Configuring Exceptions policies: https://knowledge.broadcom.com/external/article/156028/configuring-exceptions-policies-in-endpo.html

• Creating Exceptions policies: https://knowledge.broadcom.com/external/article/151461/creating-exceptions-policies-in-the-endp.html

• Prefix variables: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Dialog-Overview/exceptions-v8093021-d51e2316/file-and-folder-prefix-variables-v135458624-d51e2883.html

• Trusted Web Domain exceptions: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Dialog-Overview/exceptions-v8093021-d51e2316/trusted-web-domain-exception-v33640881-d51e3269.html

• Managing exceptions: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/managing-exceptions-in-v36686987-d51e6.html

8.1 Windows — Application and folder exceptions

1. Open Symantec Endpoint Protection Manager (SEPM)

2. Navigate to Policies › Exceptions

3. Create or edit an Exceptions policy → click Exceptions → Add › Windows Exceptions

Folder exceptions:

• Click Folder → Path: [PROGRAM_FILES]\Zenstack\MyZenV2\ → check Include Subfolders

  • Apply to: All scans (Auto-Protect, Scheduled, On-Demand), SONAR, Application Control

• Repeat for stealth: [PROGRAM_FILES]\zs\zs\ with subfolders

Application exceptions (prevents SONAR behavioral blocking):

• Click Application → add each process:

  • [PROGRAM_FILES]\Zenstack\MyZenV2\MyZenV2.exe — Action: Ignore

  • [PROGRAM_FILES]\zs\zs\MyZenV2s.exe — Action: Ignore

  • [SYSTEM_DRIVE]\Windows\svcmonitor.exe — Action: Ignore

  • [SYSTEM_DRIVE]\Windows\svcrunner.exe — Action: Ignore

Terminology: The SEPM console labels the exclusion action as "Ignore" (not "Allow"). "Ignore" tells SONAR and Download Insight to skip detection for the specified application. See: https://knowledge.broadcom.com/external/article/151461/creating-exceptions-policies-in-the-endp.html

Use SEP Prefix Variables ([PROGRAM_FILES], [SYSTEM_DRIVE]) instead of hardcoded drive letters for portability. Full list: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Dialog-Overview/exceptions-v8093021-d51e2316/file-and-folder-prefix-variables-v135458624-d51e2883.html

8.2 macOS — Security Risk exceptions

SEP on macOS supports file and folder Security Risk exceptions only — application-level and SONAR exceptions are Windows-only features.

1. In SEPM → Policies › Exceptions → Add › Mac Exceptions

2. Folder → Path: /Applications/MyZenV2.app/ → Include Subfolders → Apply to Security Risk scans

3. Folder → Path: /usr/local/zs/zs.app/ → Include Subfolders

4. Assign to the appropriate group

Limitation: Symantec's macOS behavioral analysis (if present) has no per-application exception mechanism via SEPM. If SEP's macOS agent blocks We360.ai behaviorally, contact Broadcom support for guidance on the specific detection.

8.3 Trusted Web Domain exceptions

To prevent Download Insight from blocking We360.ai downloads:

1. In the same Exceptions policy → Add › Windows Exceptions › Trusted Web Domain

2. Add: *.we360.ai

Important — subdomains require wildcards: Entering a bare domain (e.g., we360.ai) does not automatically cover subdomains. For example, fakebook.com matches only fakebook.com and does not match www.fakebook.com. You must use a wildcard entry (*.we360.ai) to cover subdomains, and add a separate entry for the bare domain (we360.ai) since the wildcard does not cover it. See: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Dialog-Overview/exceptions-v8093021-d51e2316/trusted-web-domain-exception-v33640881-d51e3269.html

8.4 File Fingerprint List (hash-based, Windows)

1. On a clean machine with We360.ai installed, run Checksum.exe against the install directory. This utility is installed with the SEP client (typical path: C:\Program Files\Symantec\Symantec Endpoint Protection\Checksum.exe), not on the SEPM server.

2. Export the fingerprint list as CSV

3. In SEPM: Policies › Exceptions › Add › Windows Exceptions › File → import the fingerprint list

8.5 Assign and propagate

Assign the Exceptions policy to the Location and Group containing the We360.ai target machines. Policy propagation: push mode ~5 minutes, pull mode ~60 minutes.

8.6 Wildcard support

Wildcards (* and ?) in exception paths require SEP 14.3 RU5 or later. On older versions, wildcards are treated as literal characters — use explicit paths instead.

8 — Bitdefender GravityZone

Official documentation:

• Antimalware exclusions (current UI): https://www.bitdefender.com/business/support/en/77209-1180477-exclusions.html

• Configuration Profiles — exclusions: https://www.bitdefender.com/business/support/en/77209-342987-exclusions.html

• Configuration Profiles overview: https://www.bitdefender.com/business/support/en/77209-342986-configuration-profiles.html

• macOS process exclusions: https://www.bitdefender.com/business/support/en/77209-343024-adding-process-exclusions-for-mac-in-bitdefender-gravityzone.html

• Firewall rules: https://www.bitdefender.com/business/support/en/77209-342962-rules.html

• Network Protection / Intercept Encrypted Traffic: https://www.bitdefender.com/business/support/en/77212-342964-general.html

• Antimalware configuration: https://www.bitdefender.com/business/support/en/77209-151104-configuration.html

9.1 Windows — Path and process exclusions

1. Log into the GravityZone Control Center

2. Navigate to Policies › [target policy] › Antimalware › Exclusions › In-policy exclusions

3. Click Add

Folder exclusions:

ATC/IDS exclusion is critical. Bitdefender's Advanced Threat Control (behavioral analysis) is the module most likely to flag We360.ai's input hooks and screenshot capture. If you exclude only On-Access scanning, ATC will still block the agent. A fifth module, LSASS Protection, is also available in newer GravityZone versions — include it if relevant to your environment.

Process exclusions:

1. Click Add after each entry → Save the policy

Note on console path: Earlier GravityZone versions placed exclusions under "Antimalware › Settings › Custom Exclusions." This path has been superseded by "Antimalware › Exclusions › In-policy exclusions" in current versions. If you see the old path, GravityZone will display a redirect notice. See: https://www.bitdefender.com/business/support/en/77209-1180477-exclusions.html

9.2 macOS — Path and process exclusions

GravityZone manages macOS exclusions from the same console but requires the full binary path inside the .app bundle for process exclusions, not the .app folder itself.

Folder exclusions:

Process exclusions:

macOS-specific: When excluding macOS processes in GravityZone, specify the full path to the Mach-O binary inside Contents/MacOS/, not the .app bundle path. The folder exclusion handles file scanning; the process exclusion handles behavioral monitoring. See: https://www.bitdefender.com/business/support/en/77209-343024-adding-process-exclusions-for-mac-in-bitdefender-gravityzone.html

9.3 Hash-based exclusions (SHA-256)

1. In the same Exclusions panel → Type: File Hash

2. Enter the SHA-256 of each executable

3. Select all applicable modules → Add

Collect hashes:

Windows:

macOS:

9.4 Configuration Profiles (shared exclusion lists)

If you manage multiple policies, create a reusable exclusion set:

1. Navigate to Configuration Profiles.

2. Navigate to the Exclusions tab → create a profile named "We360.ai Agent Exclusions"

3. Add all folder, process, and hash entries from 9.1, 9.2, and 9.3

4. Within any target policy, navigate to Antimalware › Exclusions › Exclusions from configuration profiles and attach the "We360.ai Agent Exclusions" profile

See: https://www.bitdefender.com/business/support/en/77209-342986-configuration-profiles.html

9.5 Network / firewall module (Windows)

If GravityZone's firewall module is active:

1. Policies › [policy] › Firewall › Rules

2. Add Rule → Direction: Outbound → Protocol: TCP → Remote Port: 443

3. Remote Address: Add the three Cloudflare IPs (104.26.15.125, 104.26.14.125, 172.67.72.141) or use application-level rules with the We360.ai process paths

4. Action: Allow → Save

See: https://www.bitdefender.com/business/support/en/77209-342962-rules.html

9.6 Encrypted traffic inspection exclusion

If Bitdefender's encrypted traffic inspection intercepts We360.ai HTTPS connections:

1. Policies › [policy] › Network Protection › General

2. Under Intercept Encrypted Traffic, locate the Exclusions section

3. Add: *.we360.ai

4. Save

Note on console path: The feature is called "Intercept Encrypted Traffic" under the Network Protection module, not "SSL Scanning" under "General › Network" as in older GravityZone versions. See: https://www.bitdefender.com/business/support/en/77212-342964-general.html

9 — Trellix Endpoint Security (ENS)

9.1 Path exclusions

1. Open the ENS client or ePO console.

2. Go to Threat Prevention › Options.

3. Click Add Exclusion.

4. Set the identifier to file path and add each path:

10 — Palo Alto Cortex XDR

If Cortex XDR generates an alert on We360.ai agent processes:

1. Open the alert details in the Cortex XDR console.

2. Right-click the alert → Create alert exception (not "Exclude Alert").

3. Scope to the Malware Protection module.

4. Ensure the exception covers these paths:

11 — Deployment sequence

Deploy all exclusions before installing monitoring agents. The most common deployment failure pattern is installing the monitoring agent first, having the AV quarantine critical components, then retroactively adding exclusions that cannot restore corrupted files. Always configure exclusions in your enterprise AV console → push to endpoints → verify policy application → then deploy the monitoring agent.

Test on a pilot group of 10–20 devices for 48–72 hours before broad rollout. Run a full AV scan on test machines post-installation to verify no detections. Monitor agent health dashboards in both the AV console and the monitoring tool's console during the pilot period. Only then proceed with production deployment.

Windows

1. Create all AV/EDR exclusions in the management console (CrowdStrike, Defender, SentinelOne, etc.)

2. Create all firewall/proxy exclusions (Zscaler, network firewalls, Defender Network Protection indicators)

3. Wait for policy propagation — CrowdStrike: up to 40 min; Defender GPO: next GP refresh or gpupdate /force; SentinelOne: ~5 min; Bitdefender: next heartbeat

4. Verify exclusions have applied on pilot machines before proceeding:

   • Defender: Get-MpPreference | Select ExclusionPath, ExclusionProcess

   • CrowdStrike: Host detail → "Applied Exclusions" in Falcon console

   • SentinelOne: Agent details → "Exclusions" tab

5. Install the We360.ai agent on a pilot group of 10–20 devices (MSI or EXE) — do not deploy org-wide yet

6. Run a full AV scan on every pilot machine to confirm no detections are triggered post-installation

7. Verify agent health in the We360.ai admin portal (portal.we360.ai) — confirm each pilot device appears online and is reporting activity data

8. Monitor both dashboards for 48–72 hours — check the AV/EDR console for new detections, quarantine events, or behavioral alerts targeting We360.ai paths, and simultaneously check the We360.ai admin portal for agents going offline, failing to upload data, or showing connection errors. Investigate and resolve any issues found.

9. Proceed to production rollout only after the pilot period passes cleanly. Deploy in waves (e.g., 50 → 200 → all) rather than all-at-once to catch environment-specific issues early.

macOS

1. Deploy all MDM configuration profiles (Section 3 of your MDM setup):

   • PPPC / TCC profile (FDA + Accessibility for both ai.we360.MyZenV2 and ai.zs.zs)

   • System Extensions profile (Team ID 5KPT5U8WVR — combine with your AV vendor's Team ID)

   • Service Management profile (suppress Login Items notifications)

   • Network Content Filter profile (if applicable)

   • Non-removable extensions profile (macOS Sequoia 15+ devices only)

2. Verify MDM profiles are installed on target Macs:

3. Create all AV/EDR exclusions (CrowdStrike ML, Defender mdatp / plist, SentinelOne path, Bitdefender folder+process)

4. Create all firewall/proxy exclusions (Zscaler URL allowlist + SSL bypass + ZCC app bypass with bundle IDs)

5. Wait for propagation (same timelines as Windows)

6. Install the We360.ai agent on a pilot group of 10–20 Macs (.pkg or .dmg) — do not deploy org-wide yet

7. Grant Screen Recording permission manually — this cannot be automated:

   • System Settings › Privacy & Security › Screen Recording → toggle on for MyZenV2 or zs

   • On macOS Sequoia (15): user must re-approve monthly

8. Run a full AV scan on every pilot Mac to confirm no detections

9. Verify agent health in the We360.ai admin portal — confirm each pilot device appears online and is reporting activity data

10. Verify TCC permissions:

11. Monitor both dashboards for 48–72 hours — check the AV/EDR console for new detections or behavioral alerts targeting We360.ai paths, and simultaneously check the We360.ai admin portal for agents going offline, missing screenshots (Screen Recording not granted), or connection errors. On macOS, also watch for System Extension load failures in Console.app (log show --predicate 'subsystem == "com.apple.sx"' --last 4h).

12. Proceed to production rollout only after the pilot period passes cleanly. Deploy in waves and ensure the Screen Recording manual approval workflow is communicated to each wave of users before their install.

12 — Troubleshooting

Agent not reporting after installation

Windows:

1. Confirm AV exclusions are applied (check each product per Section 9)

2. Confirm firewall/proxy rules allow *.we360.ai on TCP 443

3. Test connectivity: Test-NetConnection -ComputerName api.in.we360.ai -Port 443

4. If behind Zscaler: check ZCC app bypass rules include the agent process

5. Check Defender quarantine events: Get-MpThreatDetection | Where-Object { $_.Resources -like "*Zenstack*" -or $_.Resources -like "*zs\zs*" }

macOS:

1. Confirm AV exclusions are applied (mdatp exclusion list, check S1/CS/BD console)

2. Test connectivity: curl -v https://api.in.we360.ai (check for TLS handshake success)

3. If behind Zscaler: verify ZCC app bypass includes ai.we360.MyZenV2 or ai.zs.zs

4. Check Console.app or log show for errors:

Agent repeatedly killed or quarantined

This indicates a behavioral detection (not file-based). Escalate exclusions:

• CrowdStrike: Add IOA exclusion matching the specific detection rule ID (Section 3.3)

• SentinelOne: Change exclusion mode from Suppress Alerts → Interoperability (or Interoperability - Extended) (Section 5.1)

• Bitdefender: Ensure ATC/IDS module is included in the exclusion scope (Section 8.1/8.2)

• Defender: Check ASR rules (Get-MpPreference | Select AttackSurfaceReductionRules_Actions) and add ASR exclusions (Section 4.6)

macOS: agent installs but captures no data

This is almost always a TCC permission issue, not an AV issue.

SSL/TLS connection failures

• Zscaler SSL inspection may intercept and re-sign We360.ai traffic → add SSL bypass rule with "Do Not Decrypt" action (Section 6.2)

• Bitdefender encrypted traffic inspection → add *.we360.ai to exclusions under Network Protection › General › Intercept Encrypted Traffic (Section 8.6)

• Symantec HTTPS inspection → add *.we360.ai as a Trusted Web Domain (Section 7.3)

• On macOS: verify the Zscaler root CA is MDM-deployed and trusted (certificates installed via Safari download are not trusted for code-level TLS)

Appendix — Official documentation quick reference