Audience
This article is written for Tanium administrators and engineers who manage CrowdStrike Falcon in customer environments. It applies to new Tanium deployments and to any existing environment where CrowdStrike exclusions have not yet been configured or validated.
Before You Begin
- Confirm you have administrative access to the CrowdStrike Falcon console.
- Know the Tanium Client installation path on your endpoints — default paths are listed in the table below.
- Review existing CrowdStrike policies for stacking behavior that could override new exclusions.
- For module-specific exclusions (especially Threat Response and Reveal), consult the Security Exclusions section of Tanium documentation in addition to the paths below.
Types of CrowdStrike Falcon Exclusions
CrowdStrike Falcon supports two primary exclusion types relevant to Tanium deployments. Understanding when to use each is critical for balancing security coverage with performance.
Machine Learning (ML) Exclusions
The preferred starting point. ML exclusions stop ML-based detections and prevent uploads to the CrowdStrike cloud for the excluded path, while the Falcon sensor retains the ability to detect behavioral and anomalous process invocation activity. ML exclusions provide meaningful CPU and memory savings and should always be configured first.
Sensor Visibility Exclusions
Sensor Visibility exclusions go further — they prevent the Falcon sensor from monitoring the excluded path entirely, including event collection and behavioral analysis. Use this method only when ML exclusions have not resolved the performance issue. Implement with caution.
Custom IOA Rules
Indicators of Attack (IOA) exclusions can be created after a detection event. They suppress known-good behavioral detections not covered by ML exclusions. If a custom IOA is not working as expected, review the GLOB/regex syntax of the exclusion pattern.
Exclusion Reference Table
Configure exclusions in both Machine Learning and Sensor Visibility for all platforms in your environment.
| OS | Machine Learning | Sensor Visibility | Detection & Prevention Policy |
|---|---|---|---|
| Windows | Program Files (x86)\Tanium\**Program Files\Tanium\** | Program Files (x86)\Tanium\**Program Files\Tanium\** | Program Files (x86)\Tanium\**Program Files\Tanium\** |
| Linux | /opt/Tanium/** | /opt/Tanium/** | /opt/Tanium/** |
| macOS | /Library/Tanium/** | /Library/Tanium/** | /Library/Tanium/** |
Create a Machine Learning Exclusion
Steps
- Log in to the CrowdStrike Falcon console and navigate to Detections and Preventions.
- Select the Machine Learning Exclusions tab.
- Click Add Exclusion.
- In the Exclusion Pattern field, enter the path for your platform from the table above. Use GLOB syntax (see Troubleshooting below for syntax rules).
- Select the appropriate Operating System filter to scope the exclusion to the correct platform.
- Add a description to identify the exclusion purpose — for example: Tanium Client folder – MSP exclusion.
- Click Save to apply.
- Repeat for each additional platform (Windows, Linux, macOS) and for Sensor Visibility exclusions if required.
Troubleshooting and Awareness
Be aware of the following conditions that can produce unexpected results after configuring exclusions:
- Improperly written exclusions: Exclusions with incorrect syntax can fail silently, leaving Tanium unprotected from interference. Always use GLOB syntax. For Windows, exclude the drive path but include the root folder without a leading backslash. For Linux and macOS, include a leading forward slash.
- Policy stacking: CrowdStrike Falcon supports Site policies that can be additive or reductive. A base policy without Tanium exclusions can override a Site policy that includes them, depending on evaluation order. Always verify where the Tanium exclusion policy sits in the stack.
- Endpoints not checking in: Devices that have not recently synced with the CrowdStrike cloud may not have received the latest exclusion policies. If Tanium works on some endpoints but not others, confirm that affected devices have checked in and have a current cached policy.
- High memory consumption: CrowdStrike kernel mode drivers have been observed consuming 2–6 GB of RAM on endpoints where Tanium exclusions are missing — most visibly during Tanium Patch or Comply scans. This resolves completely once the required exclusions are applied.
- High CPU usage: Without exclusions, CrowdStrike has been observed causing sustained CPU usage averaging 30% with frequent peaks of 55–75% during Tanium module activity. Machine Learning exclusions alone have demonstrated a 30% average CPU reduction across affected endpoints.
Why Folder-Level Exclusions Are Recommended
Tanium is a platform for sensors and packages. Any script or action can be deployed to endpoints by a customer's Security or Operations team, meaning a deployment can accumulate 20–40 custom packages over time. Each Tanium action also launches from a dynamically named subfolder (Action_####) under the Tanium Downloads directory, making individual process exclusions impractical to maintain at scale.
Rather than requiring 45–95+ individual AV exclusions for Tanium processes alone, folder-level exclusions covering the paths below represent a balanced, maintainable approach:
Program Files (x86)\Tanium\**Program Files\Tanium\**/opt/Tanium/**/Library/Tanium/*
Frequently Asked Questions
Q: How can Tanium be secure if CrowdStrike is not actively inspecting it?
A: Tanium has multiple layers of tamper protection that operate independently of AV scanning:
- Tanium files are digitally signed — if modified or tampered with in any way, they will not load.
- Tanium NTFS folder permissions are restricted to Local System only, preventing unauthorized modification.
- All Tanium message traffic is signed, so tampered messages are detected and refused. This means Tanium cannot be used as a vector for man-in-the-middle attacks.
- An attacker attempting to exploit Tanium would already need Local Administrator access — at which point they have full control of the endpoint through the OS itself, independent of Tanium.
- Threat actors are far more likely to target user credentials and data directly rather than attempting to brute-force security tooling.
Q: Why does Tanium require so many exclusions?
A: Because Tanium supports fully custom sensors and action packages, there is no finite list of executables to exclude. Over time, a customer environment can accumulate dozens of custom packages in addition to Tanium's built-in scripts. Folder-level exclusions are the only scalable approach to ensure CrowdStrike does not interfere with Tanium operations without requiring constant AV policy updates as new packages are deployed.
Q: Should I configure Machine Learning or Sensor Visibility exclusions first?
A: Always start with Machine Learning exclusions. These provide the best balance of performance improvement while retaining behavioral detection coverage. Add Sensor Visibility exclusions only if ML exclusions alone have not resolved the interference or performance issue.
Q: What if I see a detection on Tanium after adding exclusions?
A: If detections continue after adding ML exclusions, first verify the exclusion syntax is correct GLOB format. Then check for policy stacking issues that may be overriding your exclusion. If detections still occur, create an IOA exclusion scoped to the specific detection. Consult the CrowdStrike documentation on creating custom IOA rules for guidance.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article