Responder Exception Rules for EPP and EDR
Overview
Section titled “Overview”Allow-listing is required for XDR Forensics responders to run acquisition tools, write temporary artifacts, and access protected areas of the file system. Without explicit exclusions in your Endpoint Protection Platform (EPP), Endpoint Detection and Response (EDR), or antivirus solution, these routine activities can trigger false positives and interrupt evidence collection.
Use the tables below to add the recommended folder and binary exclusions for each supported operating system. Choose the entries that match your deployment to keep responders running without false positives.
Windows
Section titled “Windows”Folders to Exclude:
Section titled “Folders to Exclude:”C:\Program Files\Cisco\Forensics\AIR\C:\ProgramData\.cisco-forensics
Binaries to Exclude:
Section titled “Binaries to Exclude:”C:\Program Files\Cisco\Forensics\AIR\AIR.exeC:\Program Files\Cisco\Forensics\AIR\DRONE.exeC:\Program Files\Cisco\Forensics\AIR\Tactical.exeC:\ProgramData\.cisco-forensics\WATCHDOG.exeC:\Program Files\Cisco\Forensics\AIR\utils\curl.exeC:\Program Files\Cisco\Forensics\AIR\utils\osqueryi.exe
Folders to Exclude:
Section titled “Folders to Exclude:”/opt/cisco/forensics/air//usr/share/.cisco-forensics/
Binaries to Exclude:
Section titled “Binaries to Exclude:”/opt/cisco/forensics/air/air/opt/cisco/forensics/air/drone/opt/cisco/forensics/air/tactical/opt/cisco/forensics/air/utils/osqueryi/opt/cisco/forensics/air/utils/curl/usr/share/.cisco-forensics/watchdog
Folders to Exclude:
Section titled “Folders to Exclude:”/opt/cisco/forensics/air//usr/local/share/.cisco-forensics/
Binaries to Exclude:
Section titled “Binaries to Exclude:”/opt/cisco/forensics/air/air/opt/cisco/forensics/air/drone/opt/cisco/forensics/air/tactical/opt/cisco/forensics/air/utils/osqueryi/opt/cisco/forensics/air/utils/curl/usr/share/.cisco-forensics/watchdog