Summary
When customer creates Integrity Monitoring (IM) rule to control all files on a specified root directory, Deep Security Agent (DSA) generates baseline for all files from that root directory and all its subfolders even if the Include Sub Directories option is not selected. Below shows the rule setting for this case:

Details
If an Entity Set has no “include" or “exclude" tags, all entities below the hierarchical base value (if applicable) are included. An “exclude" tag without at least one (1) “include" tag is useless - nothing will be matched since there is no “include" tag. To address the issue:
Workaround:
As workaround, prevent subdirectories from being included to the baseline by putting an asterisk sign (*) to the Include Files With Names Like (One Per Line) field in the IM rule settings.

Solution:
Download and apply Deep Security Manager (DSM) Service Pack (SP) 1 Patch 4.
This Patch enables DSA to match patterns in IM rules, which prevents IM to include subdirectory in the baseline even if subdirectory is not selected. For more information regarding DSM SP1 Patch 4, you may refer to the Readme file.