Currently, on the EM Portal, due to limitations in the current exclusion methods for the "Containment" component, we can only exclude specific files, paths, or groups. We cannot exclude the entire sequence of actions following a given executable file. Therefore, excluding executables that might call unrecognized exe files or generate and execute unknown command files is extremely complex, even if the executable file is trusted. We must search for relevant information in Security Events, Contained Threats, and File Rating's Detected Scripts. This process is extremely time-consuming, and sometimes clients cannot wait that long, becoming impatient and even wanting to disable the Containment component. This makes it ironic to tell customers that using our product will relieve them of "alert fatigue," as they actually have to expend more effort to prevent important programs from being blocked or virtualized. Therefore, we hope you can provide a new exclusion method, such as the one described above, that can directly allow all subsequent actions of an executable file, even if it generates and executes unknown files.
