File Activity Anomaly - false alert

Badge +3

hi all

lately i received a lot of mails alert about File Activity Anomaly…

i got from one specific server alerts about 4-5 files that found a suspicious file


after checking the files, i deleted what i don't know, but there is few files that i know and they needed. i cant delete them.


how can i “white-list” them? I still need them on the server, and just need to stop the alert on this specific file.


is it possible? if so, how?

thanks all:)

6 replies

Userlevel 3
Badge +8

Hi @Avior 

I do not believe that individual files can be whitelisted, but we can prevent these files from generating the alert. Can you try the following:

-In the Console → Alerts → File Anomaly Alert → Edit →Select step 3:

See below for the changes to the criteria:

Change the description to “does not contain” and add the paths to the files you wish to whitelist, separate the files with the “pipe” | character. This should prevent the detection of these files from triggering the alert.

Let me know how this goes or if you have questions. Thanks

Userlevel 7
Badge +15

You only have the option via an additional setting to disable the functionality → DisableFileIOMonitor. Not sure if you run the latest feature release, but development is continuously enhancing this feature to reduce the amount of false positives.

Badge +3


thanks for your replies 

unfortunately its not works

@Matt Medvedeff  - i added the paths, but still received alert on them - u can see that in the picture that i added…



@Onno van den Berg  - if i will add this additional settings, that mean that nothing will be alerted anymore? or just make it more accurate ?

Userlevel 7
Badge +15

@Avior it will disable the file anomaly feature on the client hence it will not return any results so it will stop the message from being generated. 

Can you also share the version number you are running and a screenshot of the screen that Matt added which shows the configured exclusions?

Userlevel 5
Badge +10

The “suspicious file” alert is based on extensions known to be used in ransomware attacks.


You can use the “sExcludeExtensions” additional setting to exclude “key” file extensions on the clients which are giving you the false alerts.


Badge +3

@Onno van den Berg   -  version 11.24.52




@Scott Moseman  - i added this key today..thank you 
will monitor it and update :)