Whitelisting the Cyrisma Agent in Common Endpoint Protection Platforms V2

Last updated: March 27, 2026

The Cyrisma Agent performs local scanning, configuration auditing, and secure communication with the Cyrisma cloud platform. Some endpoint protection tools may interfere with these operations by blocking agent executables, quarantining files, or restricting access to required folders.

Whitelisting the Cyrisma Agent directory helps prevent false detections and avoids disruptions to Cyrisma functionality.

Folder to whitelist

For all platforms listed below, whitelist:

C:\CYRISMA_Agent\

Notes:

  • Use the full Cyrisma Agent folder path.

  • Apply exclusions only where needed and scope them to the smallest practical set of devices or policies.

  • Validate exclusions on a test group before broad deployment.

Executable-based whitelisting

If your endpoint protection platform does not support directory-based exclusions, or if it requires more granular allow rules, you may also need to whitelist these Cyrisma Agent executables:

Executable Path

Purpose

C:\CYRISMA_Agent\DataSpotliteAgent.exe

Main agent service

C:\CYRISMA_Agent\App\psexec.exe

Remote collection of target attributes

C:\CYRISMA_Agent\App\atexec.exe

Secondary method for remote target attribute collection

C:\CYRISMA_Agent\App\cytcp.exe

TCP port scanning

C:\CYRISMA_Agent\App\fileconv.exe

Reads file content for sensitivity scanning

C:\CYRISMA_Agent\bin\pscopy.exe

Agent management and upgrades

C:\CYRISMA_Agent\App\7z.exe

Compresses scan results

Additional note for application control tools:

  • Some products, such as ThreatLocker and similar EDR or allowlisting tools, may also require a process-based exception so that child processes started by C:\CYRISMA_Agent\DataSpotliteAgent.exe are allowed to execute.

1. Bitdefender GravityZone

1. Bitdefender GravityZone

Use an antimalware folder exclusion for the Cyrisma Agent directory.

Path to exclude:
C:\CYRISMA_Agent\

Steps:

  1. Log in to GravityZone Control Center.

  2. Go to Policies.

  3. Select the policy assigned to the endpoints running the Cyrisma Agent.

    • If needed, create a dedicated policy for Cyrisma-managed endpoints or duplicate an existing policy and assign it to those endpoints.

  4. Edit the selected policy.

  5. Open Antimalware.

  6. Go to Exclusions.

  7. In the In-policy exclusions section, enable in-policy exclusions.

  8. Add a new exclusion rule.

  9. For exclusion type, select Folder.

  10. Enter the folder path:
    C:\CYRISMA_Agent\

  11. Select the scanning methods the exclusion should apply to, based on your policy.

  12. Add the rule and save the policy.

  13. Confirm that the updated policy is assigned to the intended endpoints and verify the exclusion on a test device.

Note:

  • Bitdefender supports folder exclusions that apply to files and subfolders under the excluded path.

  • If needed, Bitdefender also supports process-based exclusions and exclusions

2. CrowdStrike Falcon

Use a Sensor Visibility Exclusion for the Cyrisma Agent directory.

Path to exclude:
C:\CYRISMA_Agent\**

Steps:

  1. Log in to the Falcon console.

  2. Go to Endpoint Security.

  3. Select Configure.

  4. Open Exclusions.

  5. Go to Sensor Visibility Exclusions.

  6. Select Create exclusion.

  7. Choose the hosts to target:

    • All hosts, or

    • Groups of hosts

  8. Select Next.

  9. In the Exclusion Pattern field, enter the Cyrisma Agent path using CrowdStrike’s supported Glob syntax:
    C:\CYRISMA_Agent\**

  10. If needed, select Apply to all descendant processes.

  11. In the Pattern Test field, enter a sample path and test the pattern to confirm it matches the intended folder.

  12. Add a comment for the audit log if desired.

  13. Select Create exclusion.

  14. In the confirmation window, select Confirm and Create.

Notes:

  • The exclusion pattern should include subfolders under the Cyrisma Agent directory.

  • Scope the exclusion only to the devices or host groups that require Cyrisma.

  • Test the pattern before saving to help confirm the exclusion applies to the intended path.

  • If applications experience compatibility issues in environments using CrowdStrike, review relevant prevention policy settings in addition to the exclusion.

3. ESET PROTECT

Add a Performance exclusion for the Cyrisma Agent directory.

Path to exclude:
C:\CYRISMA_Agent\

Steps:

  1. Log in to the ESET PROTECT Web Console.

  2. Go to Policies.

  3. Select the policy applied to client computers and choose Edit.

  4. Go to Settings.

  5. Select Detection Engine.

  6. Expand Exclusions.

  7. Select Edit next to Performance exclusions.

  8. Select Add.

  9. In the Path field, enter:
    C:\CYRISMA_Agent\

  10. Add a comment if desired.

  11. Select OK.

  12. Select Save.

  13. Select Finish to apply the policy change.

Notes:

  • Use a Performance exclusion for the Cyrisma Agent folder path.

  • Wildcards for directories are not supported in these paths.

  • Apply the updated policy to the appropriate endpoint groups and verify the exclusion on a test system before broad deployment.

4. Huntress

If you are using Huntress Managed Antivirus or Managed Microsoft Defender Antivirus, create organization-level exclusions for the Cyrisma Agent path and process.

Path to exclude:
C:\CYRISMA_Agent\

Process to exclude:
C:\CYRISMA_Agent\DataSpotliteAgent.exe

Steps:

  1. Log in to the Huntress Portal.

  2. From the home page, navigate to Managed Antivirus.

    huntress 1.png

  3. Select Create Exclusion Settings.

  4. Select Create Organization Exclusion Settings.

    Huntress 2.png

  5. Select the managed organizations you want to apply the exclusion to.

  6. Add an exclusion type of Path and enter:
    C:\CYRISMA_Agent\

    • If needed, you can instead add the specific Cyrisma Agent executables.

  7. Add an exclusion type of Process and enter:
    C:\CYRISMA_Agent\DataSpotliteAgent.exe

  8. Save the exclusion settings.

    huntress 3.png

5. Malwarebytes Nebula

Create an exclusion for the Cyrisma Agent directory.

Path to exclude:
C:\CYRISMA_Agent\

Steps:

  1. Log in to the Nebula Console.

  2. Go to Configure.

  3. Select Exclusions.

  4. Select New exclusion.

  5. In the Add Exclusions window, enable the exclusion.

  6. Enter the Cyrisma Agent folder path on its own line:
    C:\CYRISMA_Agent\

  7. Choose whether the exclusion applies to:

    • All endpoints, or

    • Specific policies

  8. Add a comment if needed.

  9. Select Validate.

  10. Review the exclusion details, including the exclusion type, scope, and affected protection layers.

  11. Select Save.

Notes:

  • Exclusions can be scoped globally or to specific policies.

  • Review the protection layers affected by the exclusion and confirm they align with how Cyrisma is used in your environment.

  • Changes are typically applied within minutes, provided endpoints are communicating with Nebula.

6. SentinelOne

Create an exclusion for the Cyrisma Agent directory.

Path to exclude:
C:\CYRISMA_Agent\

Steps:

  1. Log in to the SentinelOne Management Console.

  2. Go to Policy Settings or Global Settings, depending on where exclusions are managed in your environment.

  3. Select the appropriate site, group, or device policy for endpoints running the Cyrisma Agent.

For environments using the new exclusions experience:
4. Create a new exclusion.
5. Set Exclusion Type to Agent Interoperability.
6. Set Operating System to Windows.
7. Select Continue.
8. Enter the Cyrisma Agent path using the path format supported by your SentinelOne environment.
9. Enable Include Subfolders.
10. Enable Apply to child processes.
11. Set Exclusion Mode to Interoperability.
12. Save the exclusion.
13. Allow time for the exclusion to propagate to endpoints.
14. Restart the device or the relevant Cyrisma service if needed, then verify the exclusion on a test endpoint.

For environments using the legacy exclusions experience:
4. Ensure the tenant is using the Legacy Exclusions Experience.
5. Create a path exclusion for alerts and mitigations.
6. Enter the Cyrisma Agent path using the path format supported by your SentinelOne environment.
7. Enable Include Subfolders.
8. Set Exclusion Mode to Interoperability - extended.
9. Save the exclusion.
10. Allow time for the exclusion to propagate to endpoints.
11. Restart the device or the relevant Cyrisma service if needed, then verify the exclusion on a test endpoint.

Notes:

  • SentinelOne’s exclusion workflow differs between the new and legacy exclusions experiences.

  • In environments that support Agent Interoperability, that exclusion type is generally the most relevant for preventing interference with legitimate management and scanning tools.

  • If the Cyrisma Agent still encounters blocking after the exclusion is applied, review whether child processes are also allowed and whether a more permissive performance-focused mode is needed in your environment.

  • Verify the exact path syntax accepted by your SentinelOne tenant before finalizing the exclusion.

7. Sophos Intercept X (Sophos Central)

Create a file or folder exclusion for the Cyrisma Agent directory.

Path to exclude:
C:\CYRISMA_Agent\

Steps:

  1. Log in to Sophos Central.

  2. Select the General Settings icon.

  3. Under General, select Global Exclusions.

  4. Select Add Exclusion.

  5. In Exclusion Type, select File or folder (Windows).

  6. Enter the Cyrisma Agent folder path:
    C:\CYRISMA_Agent\

  7. In Active for, choose whether the exclusion applies to:

    • Real-time scanning

    • Scheduled scanning

    • Both

  8. Select Add to save the exclusion.

Notes:

  • Sophos supports both global exclusions and policy-based exclusions.

  • Global exclusions apply to all users, computers, and servers in the tenant.

  • If you want the exclusion to apply only to specific devices or groups, use a policy-based exclusion instead of a global exclusion.

  • If excluded files still trigger exploit-related detections, separate exploit-related exclusion types may be required depending on the detection category.

8. ThreatLocker

Create an allow policy for the Cyrisma Agent directory.

Path to allow:
C:\CYRISMA_Agent\

Steps:

  1. Log in to the ThreatLocker Portal.

  2. Go to the Application Control area.

  3. Open the policy management view for the organization, group, or computer where the Cyrisma Agent should be allowed.

  4. Create a new allow policy for the Cyrisma Agent folder path.

  5. Enter the Cyrisma Agent folder path:
    C:\CYRISMA_Agent\

  6. Scope the policy to the appropriate organization, group, or devices.

  7. Save the policy and deploy the change.

  8. Verify the policy on a test endpoint before broad deployment.

Notes:

  • ThreatLocker uses an allowlisting model, so software must be explicitly permitted to run.

  • ThreatLocker policies can be applied at different levels, including organization, group, and computer scope.

  • In some environments, a folder allow rule may not be sufficient by itself. Additional process-based rules may be needed so that child processes launched by C:\CYRISMA_Agent\DataSpotliteAgent.exe are also allowed to run.

  • Use the smallest practical scope and validate the result carefully before wider rollout.

9. Trend Micro Apex One

Add the Cyrisma Agent directory to the scan exclusion list.

Path to exclude:
C:\CYRISMA_Agent\

Steps:

  1. Log in to the Apex One Console.

  2. Go to Agent Management.

  3. In the agent tree, select the root icon to include all Security Agents, or select the specific groups or Security Agents that should receive the exclusion.

  4. Go to Settings.

  5. Select Scan Exclusion Settings.

  6. Select the check box to enable scan exclusion.

  7. In the Scan Exclusion List (Files) section, enter the Cyrisma Agent directory path:
    C:\CYRISMA_Agent\

  8. Select Add.

  9. Select Save.

  10. If you selected the root icon, choose how the exclusion should be applied:

    • Apply to All Agents

    • Apply to Future Groups Only

  11. Verify the exclusion on a test group or endpoint before broad deployment.

Notes:

  • Excluding a directory also excludes its subdirectories from scanning.

  • Trend Micro requires a full file path or directory path; file name only is not supported.

  • Depending on your Apex One deployment and version, scan exclusions may also be managed through broader scan exclusion list settings.

  • Apply the exclusion to a test group first, then verify agent functionality before broad deployment.

10. Webroot Business Endpoint Protection

Create a good file override for the Cyrisma Agent folder path.

Path to allow:
C:\CYRISMA_Agent\

Steps:

  1. Log in to the OpenText Management Console or the Endpoint Protection console.

  2. Choose the override scope you want to manage:

    • Global overrides, if the allow rule should apply broadly across sites that use global overrides

    • Site-level overrides, if the allow rule should apply only to a specific site or endpoint policy

  3. Open the file overrides area for that scope.

  4. Create a new good file override.

  5. Add the Cyrisma Agent folder path:
    C:\CYRISMA_Agent\

  6. Save the override.

  7. Allow endpoints to check in so the change is applied.

  8. Verify the override on a test endpoint before broad deployment.

Notes:

  • Good file overrides allow a file or folder path to execute regardless of cloud classification.

  • OpenText supports both global overrides and site-level overrides.

  • Site-level overrides are more targeted and take precedence over global overrides.

  • Policy-assigned overrides take precedence over site-level overrides.

  • File and folder path overrides are supported on OpenText Core Endpoint Protection version 9.0.1 or later.

  • OpenText recommends validating the need for overrides through testing rather than adding them automatically based only on vendor recommendations.

  • New overrides become active as devices check in to the OpenText Management Console.

11. Microsoft Defender (Managed via Intune)

Create a Microsoft Defender Antivirus exclusions policy and add the Cyrisma Agent directory as an excluded path.

Path to exclude:
C:\CYRISMA_Agent\

Steps:

  1. Log in to the Microsoft Intune admin center.

  2. Go to Endpoint security.

  3. Select Antivirus.

  4. On the Summary tab, select Create policy in the AV policies section, or open an existing policy whose policy type is Microsoft Defender Antivirus exclusions.

  5. When creating a new policy:

    • Select Platform: Windows

    • Select Profile: Microsoft Defender Antivirus exclusions

    • Select Create

  6. On the Basics tab, enter a name for the policy and, if desired, a description.

  7. On the Configuration settings tab, go to Excluded paths.

  8. Select Add.

  9. Enter the Cyrisma Agent folder path:
    C:\CYRISMA_Agent\

  10. Select Next.

  11. Configure scope tags if needed.

  12. On the Assignments tab, assign the policy to the appropriate device groups.

  13. Review the policy settings and select Save.

If you are editing an existing exclusions policy:

  1. Open the policy from Endpoint security > Antivirus.

  2. Select Edit next to Configuration settings.

  3. In Excluded paths, add:
    C:\CYRISMA_Agent\

  4. Continue through the review screen and save the changes.

Notes:

  • Microsoft Defender exclusions can be configured for paths, extensions, and processes. For Cyrisma, the primary requirement is an excluded path for the Cyrisma Agent directory.

  • Custom exclusions apply to scheduled scans, on-demand scans, and always-on real-time protection and monitoring.

  • Microsoft recommends using exclusions sparingly and reviewing them periodically.

  • Excluded files can still generate other Microsoft Defender alerts in some cases, such as behavioral or heuristic detections.

  • If exclusions are configured from multiple policy sources, Intune supports policy merge for excluded paths, excluded extensions, and excluded processes.