File monitoring System32, excluding and including.

+1 vote
asked Jan 25 in EventSentry by msimmons13 (410 points)
So the default is:

"Only monitor files that are included below



But it appears Malwarebytes is constantly adding/removing a file from system32/drivers so I want to exclude that file. The radio for "include all except" and "monitory only" cannot have both selected, so do I simply create a 2nd "monitored folder" for the exclusion?

1 Answer

+1 vote
answered Jan 25 by Ingmar (4,220 points)
selected Jan 26 by msimmons13
Best answer

Adding a 2nd folder is not supported, since it would instruct EventSentry to monitor the same folder twice. The best approach to suppress these false alerts from Malwarebytes would be to create an exclude filter so that these alerts aren't forwarded to an email for example. The advantage of this approach is that the changes to the "drivers" directory still get recorded to the database.

I included a screenshot of what this exclusion filter could look like. You may have to change the 2nd content filter if the file that is being added is not mbamswissarmy.sys:

Exclude MalwareBytes FIM Alerts

You can put this exclusion filter into any package that is assigned to the host where these alerts are generated, or you can create a new package.

I hope this helps, please let us know!

commented Jan 26 by msimmons13 (410 points)
That sounds great! I have one dumb question though, where to navigate to set that exclusion filter?
commented Jan 26 by Ingmar (4,220 points)
Yes, you would want to create a new event log package (or add one to an existing one) and then add the exclusion filter to that package. Just make sure the package is assigned correctly. We have a video that explains this in detail: That video probably tells you more than you need to know -
 if you prefer a shorter tutorial then you can go here: Let me know if that helps.
commented Jan 26 by msimmons13 (410 points)
Perfect! One last question, when adding the "content filters" (where it says "string (#1) matches") I am given three options, "wildcard," "insertion," or "regex" for "text match type." Which do I want?

EDIT: Nevermind, it's "insertion"

Thanks again!
commented Jan 26 by Ingmar (4,220 points)
Glad you figured it out - yes it's insertion string. Please vote the post up and/or as "Answer" if it resolves the problem - thank you!
commented Jan 26 by msimmons13 (410 points)
Thank you for the reminder, done!
Welcome to EventSentry Q&A, where you can ask questions and receive answers from other members of the community.