Skip to main content
Learn more about our NEW login process here!
Thermo Fisher Scientific

How to Correctly Configure the File Change Monitor Exclusion Policies in Security Administration

  1. Last updated
  2. Save as PDF

Issue

When not configured properly, the policies in Security Administration for Security Suite software for excluding directory rename and file change events will not appear to work properly.

Environment

Security Suite

OMNIC

OMNIC Paradigm

OMNIC Picta

OMNIC for Dispersive Raman

Resolution

Here are some guidance on how to properly configure the policies in Security Administration so that certain directories can be excluded from rename events and file monintoring.

  1. Wildcards in the middle of a directory name are not supported and will not work as expected. For example, excluding Temp*Dir will actually exclude all files in any folder containing TempDir in their name, such as MyTempDirFolder or TempDirectory.
  2. There is an implied leading and trailing asterisk (*) wildcard for each directory name. For example, excluding Temp will actually exclude all files in any folder containing Temp in their name, such as MyTempFolder or TemporaryFiles. To only exclude files in a folder named exactly Temp, you must specify \Temp\ (including the backslashes).
  3. The question mark (?) wildcard is not supported at all. Since the question mark is not a valid character in a directory name on Windows systems, attempting to use it will not exclude any directories.
  4. The directory name should not include the drive letter or root backslash. For example, to exclude all files in C:\Temp, you should only enter Temp\
  5. If it is necessary to exclude more than one directory from monitoring, they can be separated in the list by a semicolon.  The same rules listed above apply to each directory to be excluded.

After making any changes to these policies in the Security Administration program, it is also critical to restart the services to make these changes take effect.  The easiest way to achieve this is to restart the computer.  On reboot all the services will restart and pick up the changes.

Analysis

As an example, there is an endpoint protection program called Druva which changes a .CFG file quite often.  These file changes will be caught by the Thermo Scientific File Change Monitor service and can fill up an audit trail.  This file is located in the folder path C:\ProgramData\Druva\inSync4...

To exclude this path for monitoring, type the text "Druva\inSync4" (without the quotation marks) into the policy "List of directories to exclude from File Change Monitor Service for directory rename events" in the Security Administration program under Admin - System Policies.  Then also check on the policy "Use exclude list for all events, not just directory renames".  This should exclude any paths with Druve\inSync4 in the path name, which includes all subfolders under the inSync4 folder.

 

Druva Exclude Policy.jpg