Using wildcards in exclusions

Summary

This article provides information on how you can exclude files from scanning by using wildcard characters in the F-Secure antivirus products.

Conditions to be met when using wildcards

Whenever wildcards are used in an exclusion, you have to type backslash twice: "

\\
" (as an escape character). All slashes in the path need to be escaped in this way. The path is not case-sensitive.

For real-time scanning use device names, e.g.

*\\HarddiskVolume1\\*\\eicar.com
.

For manual scanning use drive letters only, e.g.

C:\\*\\eicar.com
. The device names will not work here. If you use the single character wildcard (?), always start the exclusion with an asterisk, e.g.
*\\eica?.com
.

Note: When using wildcards, real-time scanning does not see the drive letters (legacy exclusions with drive letters are still supported in real-time scanning if wildcards are not used in the exclusion). To map drive letters to device names, run

fltmc volumes
from command line as an administrator. The fltmc utility ships with your operating system.

Using

\\Device\\HarddiskVolume1
will collide with the network exclusion where server is "Device" and share is "HarddiskVolume1". Hence, start the local exclusion with an asterisk (*).

Examples of usage for Real-time scanning

Some examples of using wildcards to exclude all *.ini files for real-time scanning in the following folder structure:

  • C:\Documents and Settings\User1\MyApplication\
  • C:\Documents and Settings\User2\MyApplication\
  • C:\Documents and Settings\UserNN\MyApplication\

Solution A:

*\\HarddiskVolume1\\documents and settings\\*\\MyApplication\\*.ini

Solution B:

*\\documents and settings\\*\\MyApplication\\*.ini

Working example 1:

When using wildcards, manual scanning does not understand device names, only real-time scanning does.

Real-time scanning:

*\\harddiskvolume1\\virus*\\eicar.com

*\\harddiskvolume1\\documents and settings\\*\\CADS\\*.ini

Manual scanning only:

C:\\*\\eicar.com

Working example 2:

To exclude an entire folder:

*\\MyFolder\\*

*\\MyFolder\\Subfolder\\*

Note: Everything inside the specified folder will be excluded, including its subfolders.

Working example 3:

To exclude any objects containing the string "eicar" in its name:

*eicar*

You can also use "?" as wildcard for a single character:

*eic??.com

\\*\\*eica?*

Working example 4:

All slashes need to be escaped, and if you use the single character wildcard (?), always start the exclusion with an asterisk.

Wrong:

  • *\\MyFolder\MySecondFolder\MyFiles*.exe
  • MyFile12?.exe

Correct:

  • *\\MyFolder\\MySecondFolder\\MyFiles*.exe
  • *MyFile12?.exe

DeepGuard and real-time exclusions

DeepGuard supports exclusions configured for real-time protection but they need to meet the following criteria:

  • Wildcards are not supported
  • Device names are not supported; use standard paths with drive letters:

Wrong:

\\Device\\HarddiskVolume1\\CodeMeter\\*

Correct:

c:\Program files (x86)\CodeMeter\
Pricing & Product Info

For product info and pricing please go to the F-Secure product page

Version history
Revision #:
42 of 42
Last update:
‎11-10-2019 06:48 AM
Updated by: