# AV and EDR Exclusions

### 1 — Why exclusions are required

The <code class="expression">space.vars.company\_name</code> agent performs activity monitoring through input hooks, screenshot capture, and accessibility APIs. These behaviors are functionally indistinguishable from the techniques used by spyware and trojans, which means heuristic and behavioral detection engines will flag, quarantine, or block the agent without properly scoped exclusions.

**Configure all exclusions and deploy all MDM profiles before installing the agent.** The most common deployment failure pattern is installing the monitoring agent first, having the AV quarantine critical components, then retroactively adding exclusions that cannot restore corrupted files. Always follow this sequence: configure exclusions in your enterprise AV console → push to endpoints → verify policy application → then deploy the monitoring agent. Test on a pilot group of 10–20 devices for 48–72 hours before broad rollout (see Section 9 for the full deployment checklist).

***

### 2 — We360.ai agent inventory

#### 2.1 Windows Standard mode — file paths and processes

Exclude the entire folder where possible. Fall back to individual file exclusions only if the AV product does not support folder-level exclusions.

| Path                                              | Description                                                        |
| ------------------------------------------------- | ------------------------------------------------------------------ |
| `C:\Program Files\Zenstack\MyZenV2\`              | **Root install folder — exclude recursively**                      |
| `C:\Program Files\Zenstack\MyZenV2\MyZenV2.exe`   | Main agent process; captures activity, screenshots, and app usage  |
| `C:\Program Files\Zenstack\MyZenV2\zen_cli.exe`   | Internal CLI helper                                                |
| `C:\Program Files\Zenstack\MyZenV2\updater.exe`   | Manages agent updates: downloads, verifies, and applies new builds |
| `C:\Program Files\Zenstack\MyZenV2\svcrunner.exe` | Windows service host that keeps the agent running persistently     |

#### 2.2 Windows Stealth mode — file paths and processes

Exclude the entire folder where possible. Fall back to individual file exclusions only if the AV product does not support folder-level exclusions.

| Path                                        | Description                                                      |
| ------------------------------------------- | ---------------------------------------------------------------- |
| `C:\Program Files\zs\zs\`                   | **Root install folder — exclude recursively**                    |
| `C:\Program Files\zs\zs\MyZenV2s.exe`       | Stealth agent process                                            |
| `C:\Program Files\zs\zs\updater.exe`        | Agent update manager                                             |
| `C:\Program Files\zs\zs\configure_user.exe` | Applies per-user configuration at login                          |
| `C:\Program Files\zs\zs\zen_cli.exe`        | Internal CLI helper                                              |
| `C:\Windows\svcmonitor.exe`                 | Watchdog process; automatically restarts the agent if terminated |
| `C:\Windows\svcrunner.exe`                  | Windows service host                                             |

> **Security note:** The stealth-mode watchdog (`svcmonitor.exe`) and service host (`svcrunner.exe`) reside in `C:\Windows\`, which is a sensitive path. Do **not** broadly exclude `C:\Windows\` — add process-level or exact-path exclusions for these two files only.

#### 2.3 macOS Standard mode — paths, bundle ID, and code signing identity

| Property               | Value                                                                                                                                                                                                            |
| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Application bundle** | `/Applications/MyZenV2.app`                                                                                                                                                                                      |
| **Executable**         | `/Applications/MyZenV2.app/Contents/MacOS/MyZenV2`                                                                                                                                                               |
| **Bundle Identifier**  | `ai.we360.MyZenV2`                                                                                                                                                                                               |
| **Team ID**            | `5KPT5U8WVR`                                                                                                                                                                                                     |
| **Code Requirement**   | `identifier "ai.we360.MyZenV2" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "5KPT5U8WVR"` |

#### 2.4 macOS Stealth mode — paths, bundle ID, and code signing identity

| Property               | Value                                                                                                                                                                                                    |
| ---------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Application bundle** | `/usr/local/zs/zs.app`                                                                                                                                                                                   |
| **Executable**         | `/usr/local/zs/zs.app/Contents/MacOS/zs`                                                                                                                                                                 |
| **Bundle Identifier**  | `ai.zs.zs`                                                                                                                                                                                               |
| **Team ID**            | `5KPT5U8WVR`                                                                                                                                                                                             |
| **Code Requirement**   | `identifier "ai.zs.zs" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "5KPT5U8WVR"` |

> **Both modes share the same Team ID (`5KPT5U8WVR`).** This means a single System Extensions MDM profile can cover both, but PPPC profiles must reference each bundle identifier individually.

#### 2.5 macOS code signing reference

Use this block as the verified code requirement in all PPPC / TCC configuration profiles. It was extracted from live binaries via `codesign --display --requirements -`.

```
# Standard mode
identifier "ai.we360.MyZenV2" and anchor apple generic
  and certificate 1[field.1.2.840.113635.100.6.2.6]
  and certificate leaf[field.1.2.840.113635.100.6.1.13]
  and certificate leaf[subject.OU] = "5KPT5U8WVR"

# Stealth mode
identifier "ai.zs.zs" and anchor apple generic
  and certificate 1[field.1.2.840.113635.100.6.2.6]
  and certificate leaf[field.1.2.840.113635.100.6.1.13]
  and certificate leaf[subject.OU] = "5KPT5U8WVR"
```

To re-verify at any time:

```bash
codesign --display --requirements - /Applications/MyZenV2.app
codesign --display --requirements - /usr/local/zs/zs.app
```

***

### 3 — CrowdStrike Falcon

> **Official documentation:**
>
> * ML Exclusions: <https://falcon.crowdstrike.com/documentation/41/ml-exclusions> (login required) / API: <https://www.falconpy.io/Service-Collections/Ml-Exclusions.html>
> * IOA Exclusions: <https://falcon.crowdstrike.com/documentation/73/ioa-exclusions> (login required)
> * Sensor Visibility Exclusions API: <https://www.falconpy.io/Service-Collections/Sensor-Visibility-Exclusions.html>
> * IOC Management API: <https://www.falconpy.io/Service-Collections/IOC.html>
> * PSFalcon PowerShell module: <https://github.com/CrowdStrike/psfalcon>
> * Exclusion walkthrough: <https://support.redcanary.com/hc/en-us/articles/4413344754071-How-to-Create-Exclusions-in-CrowdStrike>

#### 4.1 ML exclusions — Windows (recommended first step)

ML exclusions prevent CrowdStrike's machine-learning static analysis from flagging the We360.ai binaries.

1. Log into Falcon Console → **Configuration › Detections Management › Exclusions**
2. Select **Machine Learning Exclusions** tab → **Create Exclusion**
3. Set scope to the appropriate host group (or "All hosts" if deploying org-wide)
4. Excluded from: **Detections and Preventions**
5. Add the following patterns (one exclusion per pattern):

**Standard mode:**

```
C:\Program Files\Zenstack\MyZenV2\**
```

**Stealth mode:**

```
C:\Program Files\zs\zs\**
C:\Windows\svcmonitor.exe
C:\Windows\svcrunner.exe
```

6. Use **Pattern test** to validate → add an audit comment (e.g., "We360.ai monitoring agent — ticket INC-12345") → **Create**

#### 4.2 ML exclusions — macOS

Same console workflow as 4.1. CrowdStrike ML exclusions use forward-slash paths for macOS.

**Standard mode:**

```
/Applications/MyZenV2.app/**
```

**Stealth mode:**

```
/usr/local/zs/zs.app/**
```

> **Path syntax matters:** macOS exclusions are case-sensitive and must use `/`. Windows exclusions are case-insensitive and use `\`. CrowdStrike will reject incorrectly formatted paths.

#### 4.3 IOA exclusions (if behavioral alerts persist)

If the ML exclusion resolves file-based detections but CrowdStrike still generates behavioral/IOA alerts (e.g., for process injection or screenshot capture), add IOA exclusions:

1. Same console path → **IOA Exclusions** tab → **Create IOA Exclusion**
2. Set the triggering detection (match the exact rule ID from the alert)
3. Image Filename regex:
   * Windows standard: `.*\\MyZenV2\.exe`
   * Windows stealth: `.*\\MyZenV2s\.exe`
   * macOS standard: `.*/MyZenV2`
   * macOS stealth: `.*/zs`
4. Scope to applicable groups → **Create**

#### 4.4 Sensor Visibility exclusions

Only use these if ML + IOA exclusions are insufficient.

1. Same console path → **Sensor Visibility Exclusions** tab
2. Add paths:
   * Windows: `C:\Program Files\Zenstack\MyZenV2\` or `C:\Program Files\zs\zs\`
   * macOS: `/Applications/MyZenV2.app/` or `/usr/local/zs/zs.app/`

#### 4.5 Custom IOC — hash-based (suppress detections)

1. Navigate to **Threat Intelligence › IOC Management › Add IOC**
2. Type: SHA-256 → Paste the hash of the specific binary
3. Action: **No Action** → Platforms: Windows and/or macOS → Expiration: set to align with next agent update cycle
4. Repeat for each binary

Collect hashes:

**Windows (PowerShell):**

```powershell
Get-ChildItem "C:\Program Files\Zenstack\MyZenV2\*.exe" | ForEach-Object {
    Get-FileHash $_.FullName -Algorithm SHA256 | Select-Object Hash, Path
}
```

**macOS (Terminal):**

```bash
shasum -a 256 /Applications/MyZenV2.app/Contents/MacOS/MyZenV2
shasum -a 256 /usr/local/zs/zs.app/Contents/MacOS/zs
```

#### 4.6 Domain/URL IOC — suppress network detections

1. **Threat Intelligence › IOC Management › Add IOC**
2. Type: Domain → Value: <code class="expression">space.vars.company\_name</code>→ Action: **No Action** → Platforms: Windows, macOS
3. Repeat for other domains listed in the [Allowlist Guide](/deployment-and-it-ops/network-and-security-hardening/allowlist-guide.md).

> **Note:** Domain IOCs support "Detect Only" and "No Action" only. There is no "Allow" action for domain indicators.

#### 4.8 Automation (PSFalcon)

> **PSFalcon module:** <https://github.com/CrowdStrike/psfalcon> — note that PSFalcon 2.2.0+ uses `-GroupId` (singular) as the primary parameter name; `-GroupIds` is retained as an alias.

```powershell
# Standard mode ML exclusions (Windows + macOS)
New-FalconMlExclusion -Value "C:\Program Files\Zenstack\MyZenV2\**" `
  -GroupId @("all") -ExcludedFrom @("blocking") `
  -Comment "We360.ai standard agent Windows — ticket INC-12345"

New-FalconMlExclusion -Value "/Applications/MyZenV2.app/**" `
  -GroupId @("all") -ExcludedFrom @("blocking") `
  -Comment "We360.ai standard agent macOS — ticket INC-12345"

# Stealth mode ML exclusions (Windows + macOS)
New-FalconMlExclusion -Value "C:\Program Files\zs\zs\**" `
  -GroupId @("all") -ExcludedFrom @("blocking") `
  -Comment "We360.ai stealth agent Windows — ticket INC-12345"

New-FalconMlExclusion -Value "/usr/local/zs/zs.app/**" `
  -GroupId @("all") -ExcludedFrom @("blocking") `
  -Comment "We360.ai stealth agent macOS — ticket INC-12345"

New-FalconMlExclusion -Value "C:\Windows\svcmonitor.exe" `
  -GroupId @("all") -ExcludedFrom @("blocking") `
  -Comment "We360.ai stealth watchdog — ticket INC-12345"

New-FalconMlExclusion -Value "C:\Windows\svcrunner.exe" `
  -GroupId @("all") -ExcludedFrom @("blocking") `
  -Comment "We360.ai stealth service host — ticket INC-12345"
```

Note: The ValidateSet accepts two values: "blocking" (ML detection/prevention) and "extraction" (file upload to CrowdStrike cloud); @("blocking","extraction") is often the appropriate choice to also prevent sample uploads.

#### 4.9 Propagation

Exclusions take **up to 40 minutes** to reach all sensors (both Windows and macOS). Allow this window before deploying the We360.ai agent to target hosts.

***

### 4 — Microsoft Defender (Antivirus + Defender for Endpoint)

> **Official documentation:**
>
> * Add-MpPreference: <https://learn.microsoft.com/en-us/powershell/module/defender/add-mppreference>
> * File/folder exclusions: <https://learn.microsoft.com/en-us/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus>
> * Process exclusions: <https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus>
> * Custom exclusions overview: <https://learn.microsoft.com/en-us/defender-endpoint/configure-exclusions-microsoft-defender-antivirus>
> * macOS exclusions: <https://learn.microsoft.com/en-us/defender-endpoint/mac-exclusions>
> * Intune AV policy: <https://learn.microsoft.com/en-us/intune/intune-service/protect/endpoint-security-antivirus-policy>
> * Policy CSP (OMA-URI): <https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender>
> * Custom indicators: <https://learn.microsoft.com/en-us/defender-endpoint/indicator-ip-domain>
> * Advanced features: <https://learn.microsoft.com/en-us/defender-endpoint/advanced-features>
> * ASR exclusions: <https://learn.microsoft.com/en-us/defender-endpoint/enable-attack-surface-reduction>
> * Controlled Folder Access: <https://learn.microsoft.com/en-us/defender-endpoint/customize-controlled-folders>
> * Tamper Protection: <https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection>

#### 5.1 Windows — Antivirus exclusions (path and process)

These prevent Defender Antivirus from scanning We360.ai files and processes. They apply to real-time, scheduled, and on-demand scans.

**PowerShell (run elevated):**

```powershell
# ── Standard mode ──
Add-MpPreference -ExclusionPath "C:\Program Files\Zenstack\MyZenV2"
Add-MpPreference -ExclusionProcess "C:\Program Files\Zenstack\MyZenV2\MyZenV2.exe"
Add-MpPreference -ExclusionProcess "C:\Program Files\Zenstack\MyZenV2\svcrunner.exe"
Add-MpPreference -ExclusionProcess "C:\Program Files\Zenstack\MyZenV2\updater.exe"
Add-MpPreference -ExclusionProcess "C:\Program Files\Zenstack\MyZenV2\zen_cli.exe"

# ── Stealth mode ──
Add-MpPreference -ExclusionPath "C:\Program Files\zs\zs"
Add-MpPreference -ExclusionProcess "C:\Program Files\zs\zs\MyZenV2s.exe"
Add-MpPreference -ExclusionProcess "C:\Program Files\zs\zs\updater.exe"
Add-MpPreference -ExclusionProcess "C:\Program Files\zs\zs\configure_user.exe"
Add-MpPreference -ExclusionProcess "C:\Program Files\zs\zs\zen_cli.exe"
Add-MpPreference -ExclusionProcess "C:\Windows\svcmonitor.exe"
Add-MpPreference -ExclusionProcess "C:\Windows\svcrunner.exe"

# ── Verify ──
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
Get-MpPreference | Select-Object -ExpandProperty ExclusionProcess
```

> **CAUTION:** Use `Add-MpPreference` (appends). `Set-MpPreference` **replaces the entire exclusion list** and will remove all existing exclusions. See: <https://learn.microsoft.com/en-us/powershell/module/defender/add-mppreference>

**Validate an exclusion:**

```powershell
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -CheckExclusion -path "C:\Program Files\Zenstack\MyZenV2\MyZenV2.exe"
```

#### 5.2 macOS — Defender for Endpoint exclusions

Microsoft Defender for Endpoint on macOS uses the `mdatp` CLI and MDM-deployed plist preferences. See: <https://learn.microsoft.com/en-us/defender-endpoint/mac-exclusions>

**CLI method (run as root or with sudo):**

```bash
# ── Standard mode ──
mdatp exclusion folder add --path /Applications/MyZenV2.app/
mdatp exclusion process add --name MyZenV2

# ── Stealth mode ──
mdatp exclusion folder add --path /usr/local/zs/zs.app/
mdatp exclusion process add --name zs

# ── Verify ──
mdatp exclusion list
```

#### 5.4 Windows — Intune / Endpoint Manager

**Endpoint Security › Antivirus › Create Policy:**

* Platform: **Windows**
* Profile: **Microsoft Defender Antivirus Exclusions**
* Excluded Paths (Folders):
  * `C:\Program Files\Zenstack\MyZenV2`
  * `C:\Program Files\zs\zs`
* Excluded Processes:
  * `C:\Program Files\Zenstack\MyZenV2\MyZenV2.exe`
  * `C:\Program Files\zs\zs\MyZenV2s.exe`
  * `C:\Windows\svcmonitor.exe`
  * `C:\Windows\svcrunner.exe`

Assign the policy to the device group that will run We360.ai.

**OMA-URI (custom CSP) paths:**

```
./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedPaths
./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedProcesses
```

See: <https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender>

#### 5.5 Defender for Endpoint — URL/domain indicators (Windows + macOS)

AV exclusions do not cover Defender's network protection or web content filtering layers. If Defender for Endpoint is in use, create **Allow indicators** for We360.ai domains:

1. **Microsoft Defender portal** (security.microsoft.com) → **Settings › Endpoints › Rules › Indicators › URLs/Domains**
2. **Add Indicator** → URL/Domain: `*.we360.ai` → Action: **Allow** → Scope: Org-wide or device group → Title: "We360.ai agent communication" → **Save**
3. Repeat for `portal.we360.ai`, `api.in.we360.ai`, `auth.in.we360.ai`, `assets.we360.ai`, `assets.v2.we360.ai`, `origin.in.we360.ai`, `origin.global.we360.ai`

> **Prerequisite:** Custom Network Indicators must be enabled under **Settings › Endpoints › Advanced Features**. Indicators apply to both Windows and macOS endpoints enrolled in MDE. See: <https://learn.microsoft.com/en-us/defender-endpoint/advanced-features>

#### 5.6 Windows — Attack Surface Reduction (ASR) rule exclusions

If ASR rules block We360.ai behaviors:

```powershell
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Program Files\Zenstack\MyZenV2"
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Program Files\zs\zs"
```

See: <https://learn.microsoft.com/en-us/defender-endpoint/enable-attack-surface-reduction>

#### 5.7 Windows — Controlled Folder Access

If Controlled Folder Access is enabled and We360.ai needs to write to protected folders:

```powershell
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\Zenstack\MyZenV2\MyZenV2.exe"
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\zs\zs\MyZenV2s.exe"
```

See: <https://learn.microsoft.com/en-us/defender-endpoint/customize-controlled-folders>

***

### 5 — SentinelOne

> **Official documentation:**
>
> * SentinelOne Exclusions training: <https://university.sentinelone.com/courses/exclusions-and-allow-rules> (login required)
> * Whitelisting and Blacklisting solution brief: <https://www.sentinelone.com/wp-content/uploads/2017/06/SentinelOne-Whitelisting-and-Blacklisting.pdf>
> * Community KB — Exclusion types: <https://community.sentinelone.com/s/article/000006818> (login required)
> * Path exclusion best practices: <https://support.guardz.com/en/articles/10807589-best-practices-for-sentinelone-exclusions>

#### 6.1 Choosing the right exclusion mode

SentinelOne offers five graduated exclusion modes. For We360.ai, start with **Interoperability** and escalate only if conflicts persist.

| Mode                             | When to use for We360.ai                                                               |
| -------------------------------- | -------------------------------------------------------------------------------------- |
| **Suppress Alerts**              | -                                                                                      |
| **Interoperability**             | Start here                                                                             |
| **Interoperability - Extended**  | Use if We360.ai child processes (e.g., updater launching the main agent) are flagged   |
| **Performance Focus**            | Aggressive — disables significant monitoring for the excluded path                     |
| **Performance Focus - Extended** | Last resort — disables all monitoring of excluded processes and their child processes. |

#### 6.2 Path exclusions — Windows

The SentinelOne console has two UI experiences. The legacy layout uses **Sentinels › Exclusions**; the newer unified layout uses **Settings › Policy › Exclusions**. The steps below apply to both; adjust navigation to match your console version.

1. Navigate to the Exclusions page (see note above)
2. Click **New Exclusion** → Type: **Path** → OS: **Windows**

**Standard mode:**

* Path: `C:\Program Files\Zenstack\MyZenV2\`
* Include Subfolders: **Yes**
* Mode: **Suppress Alerts** (start here)

**Stealth mode:**

* Path 1: `C:\Program Files\zs\zs\` — Include Subfolders: Yes
* Path 2: `C:\Windows\svcmonitor.exe` — exact file
* Path 3: `C:\Windows\svcrunner.exe` — exact file

3. Scope: Global, Site, or Group as appropriate
4. Add description: "We360.ai monitoring agent — \[ticket number]"
5. **Save** → Allow \~5 minutes for propagation

> **If using Interoperability or Performance Focus modes:** Restart endpoints after applying the exclusion for the mode change to take effect.

#### 6.3 Path exclusions — macOS

1. **New Exclusion** → Type: **Path** → OS: **macOS**

**Standard mode:**

* Path: `/Applications/MyZenV2.app/`
* Include Subfolders: **Yes**
* Mode: **Suppress Alerts**

**Stealth mode:**

* Path: `/usr/local/zs/zs.app/`
* Include Subfolders: **Yes**

2. Scope → Description → **Save**

#### 6.4 Hash exclusions (most precise)

1. Navigate to the Exclusions page → **Hash** exclusion type
2. Click **New Exclusion** → enter **SHA-1** hash of the target binary
3. OS: Windows or macOS → Description → Scope → **Save**

> **Note:** SentinelOne hash exclusions use **SHA-1**, not SHA-256. This applies to both exclusions and blocklist entries. The SentinelOne API endpoints use `/hashes/{sha1}/` format.

Collect SHA-1 hashes:

**Windows:**

```powershell
Get-ChildItem "C:\Program Files\Zenstack\MyZenV2\*.exe" | ForEach-Object {
    Get-FileHash $_.FullName -Algorithm SHA1 | Select-Object Hash, Path
}
```

**macOS:**

```bash
shasum -a 1 /Applications/MyZenV2.app/Contents/MacOS/MyZenV2
shasum -a 1 /usr/local/zs/zs.app/Contents/MacOS/zs
```

#### 6.5 Certificate-based exclusions (recommended for long-term)

Certificate exclusions survive agent updates without requiring path or hash changes — the most maintenance-free option. SentinelOne's solution brief lists five exclusion types: hash value, path, **signer certificate identity**, file type, and browser type.

1. Navigate to the Exclusions page → **Certificate** exclusion type
2. Enter the signer identity. For We360.ai, the relevant value from the code signature is the Organizational Unit:
   * **OU:** `5KPT5U8WVR`
   * **Signer:** Retrieve the full CN from: `codesign -dvvv /Applications/MyZenV2.app 2>&1 | grep "Authority"`
3. Scope → **Save**

This single certificate exclusion covers **all We360.ai binaries across both standard and stealth modes** on both Windows and macOS (they share Team ID `5KPT5U8WVR`).

***

### 6 — Zscaler (ZIA + ZCC)

> **Official documentation:**
>
> * URL Allowlisting: <https://help.zscaler.com/zia/adding-urls-allowlist>
> * Custom URL Categories: <https://help.zscaler.com/zia/configuring-custom-url-categories>
> * SSL Inspection Policy: <https://help.zscaler.com/zia/configuring-ssl-inspection-policy>
> * SSL bypass for specific URLs: <https://help.zscaler.com/zia/skipping-inspection-traffic-specific-urls-or-cloud-apps>
> * ZCC App Bypass: <https://help.zscaler.com/zscaler-client-connector/adding-process-based-applications-bypass-traffic>
> * ZCC App Profiles: <https://help.zscaler.com/zscaler-client-connector/configuring-zscaler-client-connector-app-profiles>
> * Z-Tunnel 2.0 bypasses: <https://help.zscaler.com/zscaler-client-connector/best-practices-adding-bypasses-z-tunnel-2.0>

#### 7.1 ZIA — URL allowlisting

We360.ai agent traffic must bypass Zscaler Internet Access inspection to avoid connection failures and SSL errors. These rules apply to traffic from both Windows and macOS endpoints.

**Option A — Global URL Allowlist (fastest):**

1. ZIA Admin Portal → **Administration › URL Categories**
2. Locate the pre-defined **"Allowlist"** entry and click the **pencil/edit icon** to open it
3. Add: `*.we360.ai`, `*.in.we360.ai`
4. Click **Save** → **Activate Changes**

> **Note:** "Allowlist" is not a separate sub-menu — it is an editable pre-defined entry within the URL Categories list. See: <https://help.zscaler.com/zia/adding-urls-allowlist>

**Option B — Custom URL Category + Allow Rule (more granular):**

1. **Administration › URL Categories › Add URL Category**
2. Name: "We360.ai Monitoring Agent"
3. URLs: `*.we360.ai`, `portal.we360.ai`, `api.in.we360.ai`, `auth.in.we360.ai`, `assets.we360.ai`, `assets.v2.we360.ai`, `origin.in.we360.ai`, `origin.global.we360.ai`
4. Save → **Policy › URL & Cloud App Control › Add Rule**
5. URL Categories: select "We360.ai Monitoring Agent" → Action: **Allow** → Save → **Activate Changes**

See: <https://help.zscaler.com/zia/configuring-custom-url-categories>

#### 7.2 ZIA — SSL Inspection bypass

The We360.ai agent may use certificate pinning or custom TLS behavior that breaks under SSL inspection:

1. **Policy › SSL Inspection › Add Rule**
2. Name: "We360.ai SSL Bypass"
3. Action: **Do Not Decrypt**
4. URL Categories: select "We360.ai Monitoring Agent"
5. Define scope → Save → **Activate Changes**

> **Important:** The correct action name is **"Do Not Decrypt"** (API value: `DO_NOT_DECRYPT`), not "Do Not Inspect." ZIA still processes unencrypted traffic metadata — the bypass only skips TLS decryption. See: <https://help.zscaler.com/zia/configuring-ssl-inspection-policy>

#### 7.3 ZCC — Application bypass (process-based)

If Zscaler Client Connector tunnels We360.ai traffic and causes connection issues:

1. **ZCC Portal › App Profiles › \[Profile] › Traffic Steering**
2. Under **App and IP Bypass**, add:

**Windows:** `MyZenV2.exe`, `MyZenV2s.exe`, `updater.exe`, `svcrunner.exe`, `svcmonitor.exe`

**macOS (use bundle identifiers):** `ai.we360.MyZenV2`, `ai.zs.zs`

3. Save → republish the app profile

> **macOS note:** ZCC on macOS supports both process name and bundle identifier for app bypass rules. Bundle identifiers are preferred because they uniquely identify the app regardless of the executable name. On macOS, bundle identifier-based bypasses are deployed via **MDM configuration profiles** (Jamf Pro, Intune) using the VPN payload format `<TeamID>.<BundleID>` (e.g., `5KPT5U8WVR.ai.we360.MyZenV2`), not directly through the ZCC portal UI. See: <https://help.zscaler.com/zscaler-client-connector/deploying-zscaler-client-connector-jamf-pro-macos>

***

### 7 — Symantec Endpoint Protection (Broadcom SEP)

> **Official documentation:**
>
> * Configuring Exceptions policies: <https://knowledge.broadcom.com/external/article/156028/configuring-exceptions-policies-in-endpo.html>
> * Creating Exceptions policies: <https://knowledge.broadcom.com/external/article/151461/creating-exceptions-policies-in-the-endp.html>
> * Prefix variables: <https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Dialog-Overview/exceptions-v8093021-d51e2316/file-and-folder-prefix-variables-v135458624-d51e2883.html>
> * Trusted Web Domain exceptions: <https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Dialog-Overview/exceptions-v8093021-d51e2316/trusted-web-domain-exception-v33640881-d51e3269.html>
> * Managing exceptions: <https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/managing-exceptions-in-v36686987-d51e6.html>

#### 8.1 Windows — Application and folder exceptions

1. Open **Symantec Endpoint Protection Manager** (SEPM)
2. Navigate to **Policies › Exceptions**
3. Create or edit an Exceptions policy → click **Exceptions** → **Add › Windows Exceptions**

**Folder exceptions:**

* Click **Folder** → Path: `[PROGRAM_FILES]\Zenstack\MyZenV2\` → check **Include Subfolders**
  * Apply to: All scans (Auto-Protect, Scheduled, On-Demand), SONAR, Application Control
* Repeat for stealth: `[PROGRAM_FILES]\zs\zs\` with subfolders

**Application exceptions (prevents SONAR behavioral blocking):**

* Click **Application** → add each process:
  * `[PROGRAM_FILES]\Zenstack\MyZenV2\MyZenV2.exe` — Action: **Ignore**
  * `[PROGRAM_FILES]\zs\zs\MyZenV2s.exe` — Action: **Ignore**
  * `[SYSTEM_DRIVE]\Windows\svcmonitor.exe` — Action: **Ignore**
  * `[SYSTEM_DRIVE]\Windows\svcrunner.exe` — Action: **Ignore**

> **Terminology:** The SEPM console labels the exclusion action as **"Ignore"** (not "Allow"). "Ignore" tells SONAR and Download Insight to skip detection for the specified application. See: <https://knowledge.broadcom.com/external/article/151461/creating-exceptions-policies-in-the-endp.html>
>
> **Use SEP Prefix Variables** (`[PROGRAM_FILES]`, `[SYSTEM_DRIVE]`) instead of hardcoded drive letters for portability. Full list: <https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Dialog-Overview/exceptions-v8093021-d51e2316/file-and-folder-prefix-variables-v135458624-d51e2883.html>

#### 8.2 macOS — Security Risk exceptions

SEP on macOS supports **file and folder Security Risk exceptions only** — application-level and SONAR exceptions are Windows-only features.

1. In SEPM → **Policies › Exceptions** → **Add › Mac Exceptions**
2. **Folder** → Path: `/Applications/MyZenV2.app/` → Include Subfolders → Apply to Security Risk scans
3. **Folder** → Path: `/usr/local/zs/zs.app/` → Include Subfolders
4. Assign to the appropriate group

> **Limitation:** Symantec's macOS behavioral analysis (if present) has no per-application exception mechanism via SEPM. If SEP's macOS agent blocks We360.ai behaviorally, contact Broadcom support for guidance on the specific detection.

#### 8.3 Trusted Web Domain exceptions

To prevent Download Insight from blocking We360.ai downloads:

1. In the same Exceptions policy → **Add › Windows Exceptions › Trusted Web Domain**
2. Add: `*.we360.ai`

> **Important — subdomains require wildcards:** Entering a bare domain (e.g., `we360.ai`) does **not** automatically cover subdomains. For example, `fakebook.com` matches only `fakebook.com` and does not match `www.fakebook.com`. You must use a wildcard entry (`*.we360.ai`) to cover subdomains, **and** add a separate entry for the bare domain (`we360.ai`) since the wildcard does not cover it. See: <https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Dialog-Overview/exceptions-v8093021-d51e2316/trusted-web-domain-exception-v33640881-d51e3269.html>

#### 8.4 File Fingerprint List (hash-based, Windows)

1. On a clean machine with We360.ai installed, run `Checksum.exe` against the install directory. This utility is **installed with the SEP client** (typical path: `C:\Program Files\Symantec\Symantec Endpoint Protection\Checksum.exe`), not on the SEPM server.
2. Export the fingerprint list as CSV
3. In SEPM: **Policies › Exceptions › Add › Windows Exceptions › File** → import the fingerprint list

#### 8.5 Assign and propagate

Assign the Exceptions policy to the Location and Group containing the We360.ai target machines. Policy propagation: push mode \~5 minutes, pull mode \~60 minutes.

#### 8.6 Wildcard support

Wildcards (`*` and `?`) in exception paths require **SEP 14.3 RU5 or later**. On older versions, wildcards are treated as literal characters — use explicit paths instead.

***

### 8 — Bitdefender GravityZone

> **Official documentation:**
>
> * Antimalware exclusions (current UI): <https://www.bitdefender.com/business/support/en/77209-1180477-exclusions.html>
> * Configuration Profiles — exclusions: <https://www.bitdefender.com/business/support/en/77209-342987-exclusions.html>
> * Configuration Profiles overview: <https://www.bitdefender.com/business/support/en/77209-342986-configuration-profiles.html>
> * macOS process exclusions: <https://www.bitdefender.com/business/support/en/77209-343024-adding-process-exclusions-for-mac-in-bitdefender-gravityzone.html>
> * Firewall rules: <https://www.bitdefender.com/business/support/en/77209-342962-rules.html>
> * Network Protection / Intercept Encrypted Traffic: <https://www.bitdefender.com/business/support/en/77212-342964-general.html>
> * Antimalware configuration: <https://www.bitdefender.com/business/support/en/77209-151104-configuration.html>

#### 9.1 Windows — Path and process exclusions

1. Log into the **GravityZone Control Center**
2. Navigate to **Policies › \[target policy] › Antimalware › Exclusions › In-policy exclusions**
3. Click **Add**

**Folder exclusions:**

| Type   | Value                                | Modules to exclude                                   |
| ------ | ------------------------------------ | ---------------------------------------------------- |
| Folder | `C:\Program Files\Zenstack\MyZenV2\` | On-Access, On-Demand, ATC/IDS, Ransomware Mitigation |
| Folder | `C:\Program Files\zs\zs\`            | On-Access, On-Demand, ATC/IDS, Ransomware Mitigation |

> **ATC/IDS exclusion is critical.** Bitdefender's Advanced Threat Control (behavioral analysis) is the module most likely to flag We360.ai's input hooks and screenshot capture. If you exclude only On-Access scanning, ATC will still block the agent. A fifth module, **LSASS Protection**, is also available in newer GravityZone versions — include it if relevant to your environment.

**Process exclusions:**

| Type    | Value                                           | Modules            |
| ------- | ----------------------------------------------- | ------------------ |
| Process | `C:\Program Files\Zenstack\MyZenV2\MyZenV2.exe` | On-Access, ATC/IDS |
| Process | `C:\Program Files\zs\zs\MyZenV2s.exe`           | On-Access, ATC/IDS |
| Process | `C:\Windows\svcmonitor.exe`                     | On-Access, ATC/IDS |
| Process | `C:\Windows\svcrunner.exe`                      | On-Access, ATC/IDS |

4. Click **Add** after each entry → **Save** the policy

> **Note on console path:** Earlier GravityZone versions placed exclusions under "Antimalware › Settings › Custom Exclusions." This path has been superseded by **"Antimalware › Exclusions › In-policy exclusions"** in current versions. If you see the old path, GravityZone will display a redirect notice. See: <https://www.bitdefender.com/business/support/en/77209-1180477-exclusions.html>

#### 9.2 macOS — Path and process exclusions

GravityZone manages macOS exclusions from the same console but requires the **full binary path inside the .app bundle** for process exclusions, not the .app folder itself.

**Folder exclusions:**

| Type   | Value                        | Modules              |
| ------ | ---------------------------- | -------------------- |
| Folder | `/Applications/MyZenV2.app/` | On-Access, On-Demand |
| Folder | `/usr/local/zs/zs.app/`      | On-Access, On-Demand |

**Process exclusions:**

| Type    | Value                                              | Modules            |
| ------- | -------------------------------------------------- | ------------------ |
| Process | `/Applications/MyZenV2.app/Contents/MacOS/MyZenV2` | On-Access, ATC/IDS |
| Process | `/usr/local/zs/zs.app/Contents/MacOS/zs`           | On-Access, ATC/IDS |

> **macOS-specific:** When excluding macOS processes in GravityZone, specify the full path to the Mach-O binary inside `Contents/MacOS/`, not the `.app` bundle path. The folder exclusion handles file scanning; the process exclusion handles behavioral monitoring. See: <https://www.bitdefender.com/business/support/en/77209-343024-adding-process-exclusions-for-mac-in-bitdefender-gravityzone.html>

#### 9.3 Hash-based exclusions (SHA-256)

1. In the same Exclusions panel → Type: **File Hash**
2. Enter the SHA-256 of each executable
3. Select all applicable modules → **Add**

Collect hashes:

**Windows:**

```powershell
Get-ChildItem "C:\Program Files\Zenstack\MyZenV2\*.exe" | ForEach-Object {
    Get-FileHash $_.FullName -Algorithm SHA256 | Select-Object Hash, Path
}
```

**macOS:**

```bash
shasum -a 256 /Applications/MyZenV2.app/Contents/MacOS/MyZenV2
shasum -a 256 /usr/local/zs/zs.app/Contents/MacOS/zs
```

#### 9.4 Configuration Profiles (shared exclusion lists)

If you manage multiple policies, create a reusable exclusion set:

1. Navigate to **Configuration Profiles**.
2. Navigate to the **Exclusions** tab → create a profile named "We360.ai Agent Exclusions"
3. Add all folder, process, and hash entries from 9.1, 9.2, and 9.3
4. Within any target policy, navigate to **Antimalware › Exclusions › Exclusions from configuration profiles** and attach the "We360.ai Agent Exclusions" profile

See: <https://www.bitdefender.com/business/support/en/77209-342986-configuration-profiles.html>

#### 9.5 Network / firewall module (Windows)

If GravityZone's firewall module is active:

1. **Policies › \[policy] › Firewall › Rules**
2. **Add Rule** → Direction: Outbound → Protocol: TCP → Remote Port: 443
3. Remote Address: Add the three Cloudflare IPs (`104.26.15.125`, `104.26.14.125`, `172.67.72.141`) or use application-level rules with the We360.ai process paths
4. Action: **Allow** → **Save**

See: <https://www.bitdefender.com/business/support/en/77209-342962-rules.html>

#### 9.6 Encrypted traffic inspection exclusion

If Bitdefender's encrypted traffic inspection intercepts We360.ai HTTPS connections:

1. **Policies › \[policy] › Network Protection › General**
2. Under **Intercept Encrypted Traffic**, locate the Exclusions section
3. Add: `*.we360.ai`
4. **Save**

> **Note on console path:** The feature is called **"Intercept Encrypted Traffic"** under the **Network Protection** module, not "SSL Scanning" under "General › Network" as in older GravityZone versions. See: <https://www.bitdefender.com/business/support/en/77212-342964-general.html>

***

### 9 — Trellix Endpoint Security (ENS)

#### 9.1 Path exclusions

1. Open the **ENS client** or **ePO console**.
2. Go to **Threat Prevention › Options**.
3. Click **Add Exclusion**.
4. Set the identifier to **file path** and add each path:

| Type   | Value                                |
| ------ | ------------------------------------ |
| Folder | `\Program Files\Zenstack\MyZenV2\**` |
| Folder | `\Program Files\zs\zs\**`            |
| File   | `\Windows\svcmonitor.exe`            |
| File   | `\Windows\svcrunner.exe`             |

{% hint style="warning" %}
If you add multiple identifiers (e.g., path + MD5 hash) in a single rule, Trellix requires **all of them to match simultaneously** (AND logic). Use **path-only rules** to avoid mismatches.
{% endhint %}

***

### 10 — Palo Alto Cortex XDR

If Cortex XDR generates an alert on We360.ai agent processes:

1. Open the **alert details** in the Cortex XDR console.
2. Right-click the alert → **Create alert exception** (not "Exclude Alert").
3. Scope to the **Malware Protection** module.
4. Ensure the exception covers these paths:

| Path                                  |
| ------------------------------------- |
| `C:\Program Files\Zenstack\MyZenV2\*` |
| `C:\Program Files\zs\zs\*`            |
| `C:\Windows\svcmonitor.exe`           |
| `C:\Windows\svcrunner.exe`            |

{% hint style="danger" %}
**"Create alert exception"** disables prevention for matching criteria. **"Exclude Alert"** only hides the alert while prevention stays active. Use the correct action — "Create alert exception."
{% endhint %}

***

### 11 — Deployment sequence

> Deploy all exclusions before installing monitoring agents. The most common deployment failure pattern is installing the monitoring agent first, having the AV quarantine critical components, then retroactively adding exclusions that cannot restore corrupted files. Always configure exclusions in your enterprise AV console → push to endpoints → verify policy application → then deploy the monitoring agent.

> Test on a pilot group of 10–20 devices for 48–72 hours before broad rollout. Run a full AV scan on test machines post-installation to verify no detections. Monitor agent health dashboards in both the AV console and the monitoring tool's console during the pilot period. Only then proceed with production deployment.

#### Windows

1. **Create all AV/EDR exclusions** in the management console (CrowdStrike, Defender, SentinelOne, etc.)
2. **Create all firewall/proxy exclusions** (Zscaler, network firewalls, Defender Network Protection indicators)
3. **Wait for policy propagation** — CrowdStrike: up to 40 min; Defender GPO: next GP refresh or `gpupdate /force`; SentinelOne: \~5 min; Bitdefender: next heartbeat
4. **Verify exclusions have applied** on pilot machines before proceeding:
   * Defender: `Get-MpPreference | Select ExclusionPath, ExclusionProcess`
   * CrowdStrike: Host detail → "Applied Exclusions" in Falcon console
   * SentinelOne: Agent details → "Exclusions" tab
5. **Install the We360.ai agent on a pilot group of 10–20 devices** (MSI or EXE) — do not deploy org-wide yet
6. **Run a full AV scan** on every pilot machine to confirm no detections are triggered post-installation
7. **Verify agent health** in the We360.ai admin portal (`portal.we360.ai`) — confirm each pilot device appears online and is reporting activity data
8. **Monitor both dashboards for 48–72 hours** — check the AV/EDR console for new detections, quarantine events, or behavioral alerts targeting We360.ai paths, and simultaneously check the We360.ai admin portal for agents going offline, failing to upload data, or showing connection errors. Investigate and resolve any issues found.
9. **Proceed to production rollout** only after the pilot period passes cleanly. Deploy in waves (e.g., 50 → 200 → all) rather than all-at-once to catch environment-specific issues early.

#### macOS

1. **Deploy all MDM configuration profiles** (Section 3 of your MDM setup):
   * PPPC / TCC profile (FDA + Accessibility for both `ai.we360.MyZenV2` and `ai.zs.zs`)
   * System Extensions profile (Team ID `5KPT5U8WVR` — combine with your AV vendor's Team ID)
   * Service Management profile (suppress Login Items notifications)
   * Network Content Filter profile (if applicable)
   * Non-removable extensions profile (macOS Sequoia 15+ devices only)
2. **Verify MDM profiles are installed** on target Macs:

   ```bash
   sudo profiles list -verbose | grep -A5 "we360"
   sudo cat "/Library/Application Support/com.apple.TCC/MDMOverrides.plist"
   ```
3. **Create all AV/EDR exclusions** (CrowdStrike ML, Defender `mdatp` / plist, SentinelOne path, Bitdefender folder+process)
4. **Create all firewall/proxy exclusions** (Zscaler URL allowlist + SSL bypass + ZCC app bypass with bundle IDs)
5. **Wait for propagation** (same timelines as Windows)
6. **Install the We360.ai agent on a pilot group of 10–20 Macs** (.pkg or .dmg) — do not deploy org-wide yet
7. **Grant Screen Recording permission manually** — this cannot be automated:
   * System Settings › Privacy & Security › Screen Recording → toggle on for MyZenV2 or zs
   * On macOS Sequoia (15): user must re-approve monthly
8. **Run a full AV scan** on every pilot Mac to confirm no detections
9. **Verify agent health** in the We360.ai admin portal — confirm each pilot device appears online and is reporting activity data
10. **Verify TCC permissions:**

    ```bash
    sudo sqlite3 -header -column "/Library/Application Support/com.apple.TCC/TCC.db" \
      "SELECT service, client, auth_value FROM access WHERE client LIKE '%we360%' OR client LIKE '%ai.zs%';"
    ```
11. **Monitor both dashboards for 48–72 hours** — check the AV/EDR console for new detections or behavioral alerts targeting We360.ai paths, and simultaneously check the We360.ai admin portal for agents going offline, missing screenshots (Screen Recording not granted), or connection errors. On macOS, also watch for System Extension load failures in Console.app (`log show --predicate 'subsystem == "com.apple.sx"' --last 4h`).
12. **Proceed to production rollout** only after the pilot period passes cleanly. Deploy in waves and ensure the Screen Recording manual approval workflow is communicated to each wave of users before their install.

***

### 12 — Troubleshooting

#### Agent not reporting after installation

**Windows:**

1. Confirm AV exclusions are applied (check each product per Section 9)
2. Confirm firewall/proxy rules allow `*.we360.ai` on TCP 443
3. Test connectivity: `Test-NetConnection -ComputerName api.in.we360.ai -Port 443`
4. If behind Zscaler: check ZCC app bypass rules include the agent process
5. Check Defender quarantine events: `Get-MpThreatDetection | Where-Object { $_.Resources -like "*Zenstack*" -or $_.Resources -like "*zs\zs*" }`

**macOS:**

1. Confirm AV exclusions are applied (`mdatp exclusion list`, check S1/CS/BD console)
2. Test connectivity: `curl -v https://api.in.we360.ai` (check for TLS handshake success)
3. If behind Zscaler: verify ZCC app bypass includes `ai.we360.MyZenV2` or `ai.zs.zs`
4. Check Console.app or `log show` for errors:

   ```bash
   log show --predicate 'process == "MyZenV2" OR process == "zs"' --last 1h
   ```

#### Agent repeatedly killed or quarantined

This indicates a behavioral detection (not file-based). Escalate exclusions:

* **CrowdStrike:** Add IOA exclusion matching the specific detection rule ID (Section 3.3)
* **SentinelOne:** Change exclusion mode from Suppress Alerts → Interoperability (or Interoperability - Extended) (Section 5.1)
* **Bitdefender:** Ensure ATC/IDS module is included in the exclusion scope (Section 8.1/8.2)
* **Defender:** Check ASR rules (`Get-MpPreference | Select AttackSurfaceReductionRules_Actions`) and add ASR exclusions (Section 4.6)

#### macOS: agent installs but captures no data

This is almost always a TCC permission issue, not an AV issue.

#### SSL/TLS connection failures

* Zscaler SSL inspection may intercept and re-sign We360.ai traffic → add SSL bypass rule with **"Do Not Decrypt"** action (Section 6.2)
* Bitdefender encrypted traffic inspection → add `*.we360.ai` to exclusions under **Network Protection › General › Intercept Encrypted Traffic** (Section 8.6)
* Symantec HTTPS inspection → add `*.we360.ai` as a Trusted Web Domain (Section 7.3)
* On macOS: verify the Zscaler root CA is MDM-deployed and trusted (certificates installed via Safari download are not trusted for code-level TLS)

***

### Appendix — Official documentation quick reference

| Product                                  | Documentation URL                                                                                                                                                                                                                |
| ---------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **CrowdStrike** ML Exclusions API        | <https://www.falconpy.io/Service-Collections/Ml-Exclusions.html>                                                                                                                                                                 |
| **CrowdStrike** Sensor Visibility API    | <https://www.falconpy.io/Service-Collections/Sensor-Visibility-Exclusions.html>                                                                                                                                                  |
| **CrowdStrike** IOC Management API       | <https://www.falconpy.io/Service-Collections/IOC.html>                                                                                                                                                                           |
| **CrowdStrike** PSFalcon module          | <https://github.com/CrowdStrike/psfalcon>                                                                                                                                                                                        |
| **Defender** Add-MpPreference            | <https://learn.microsoft.com/en-us/powershell/module/defender/add-mppreference>                                                                                                                                                  |
| **Defender** File/folder exclusions      | <https://learn.microsoft.com/en-us/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus>                                                                                                           |
| **Defender** Process exclusions          | <https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus>                                                                                                      |
| **Defender** macOS exclusions            | <https://learn.microsoft.com/en-us/defender-endpoint/mac-exclusions>                                                                                                                                                             |
| **Defender** Intune AV policy            | <https://learn.microsoft.com/en-us/intune/intune-service/protect/endpoint-security-antivirus-policy>                                                                                                                             |
| **Defender** Policy CSP (OMA-URI)        | <https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender>                                                                                                                                            |
| **Defender** Custom indicators           | <https://learn.microsoft.com/en-us/defender-endpoint/indicator-ip-domain>                                                                                                                                                        |
| **Defender** Advanced features           | <https://learn.microsoft.com/en-us/defender-endpoint/advanced-features>                                                                                                                                                          |
| **Defender** Tamper Protection           | <https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection>                                                                                                                |
| **SentinelOne** Solution brief           | <https://www.sentinelone.com/wp-content/uploads/2017/06/SentinelOne-Whitelisting-and-Blacklisting.pdf>                                                                                                                           |
| **SentinelOne** Exclusion best practices | <https://support.guardz.com/en/articles/10807589-best-practices-for-sentinelone-exclusions>                                                                                                                                      |
| **Zscaler** URL Allowlisting             | <https://help.zscaler.com/zia/adding-urls-allowlist>                                                                                                                                                                             |
| **Zscaler** Custom URL Categories        | <https://help.zscaler.com/zia/configuring-custom-url-categories>                                                                                                                                                                 |
| **Zscaler** SSL Inspection Policy        | <https://help.zscaler.com/zia/configuring-ssl-inspection-policy>                                                                                                                                                                 |
| **Zscaler** ZCC App Bypass               | <https://help.zscaler.com/zscaler-client-connector/adding-process-based-applications-bypass-traffic>                                                                                                                             |
| **Zscaler** Z-Tunnel 2.0 bypasses        | <https://help.zscaler.com/zscaler-client-connector/best-practices-adding-bypasses-z-tunnel-2.0>                                                                                                                                  |
| **Symantec** Exception policies          | <https://knowledge.broadcom.com/external/article/156028/configuring-exceptions-policies-in-endpo.html>                                                                                                                           |
| **Symantec** Creating exceptions         | <https://knowledge.broadcom.com/external/article/151461/creating-exceptions-policies-in-the-endp.html>                                                                                                                           |
| **Symantec** Prefix variables            | <https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Dialog-Overview/exceptions-v8093021-d51e2316/file-and-folder-prefix-variables-v135458624-d51e2883.html> |
| **Symantec** Trusted Web Domain          | <https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Dialog-Overview/exceptions-v8093021-d51e2316/trusted-web-domain-exception-v33640881-d51e3269.html>      |
| **Bitdefender** Exclusions (current)     | <https://www.bitdefender.com/business/support/en/77209-1180477-exclusions.html>                                                                                                                                                  |
| **Bitdefender** Config Profiles          | <https://www.bitdefender.com/business/support/en/77209-342986-configuration-profiles.html>                                                                                                                                       |
| **Bitdefender** macOS process exclusions | <https://www.bitdefender.com/business/support/en/77209-343024-adding-process-exclusions-for-mac-in-bitdefender-gravityzone.html>                                                                                                 |
| **Bitdefender** Firewall rules           | <https://www.bitdefender.com/business/support/en/77209-342962-rules.html>                                                                                                                                                        |
| **Bitdefender** Network Protection       | <https://www.bitdefender.com/business/support/en/77212-342964-general.html>                                                                                                                                                      |
| **Cloudflare** IP ranges                 | <https://www.cloudflare.com/ips/>                                                                                                                                                                                                |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.we360.ai/deployment-and-it-ops/network-and-security-hardening/av-and-edr-exclusions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.