I have noticed that most antivirus programs (maybe all of them?) have the ability for the user to set exclusions from being scanned and that it seems that the excluded program/file/etc is almost always by path (as opposed to md5 hash, etc). I'm wondering if this is the best policy for exclusions. What if an excluded program is auto updated and the update includes some sort of adware/spyware or worse? Because of the exclusion, will the updated program be able to do whatever it likes as the antivirus program will ignore it? I understand that exclusions are needed in many cases. But is exclusion by path the best policy?