-# rEFInd doesn't scan its own directory or the EFI/tools directory.
-# You can "blacklist" additional directories with this option, which
-# takes a list of directory names as options. You might do this to
-# keep EFI/boot/bootx64.efi out of the menu if that's a duplicate of
-# another boot loader or to exclude a directory that holds drivers
-# or non-bootloader utilities provided by a hardware manufacturer. If
-# a directory is listed both here and in also_scan_dirs, dont_scan_dirs
-# takes precedence. Note that this blacklist applies to ALL the
-# filesystems that rEFInd scans, not just the ESP.
-#
-#dont_scan_dirs EFI/boot,EFI/Dell
+# rEFInd doesn't scan its own directory, the EFI/tools directory, the
+# EFI/memtest directory, the EFI/memtest86 directory, or the
+# com.apple.recovery.boot directory. Using the dont_scan_dirs option
+# enables you to "blacklist" other directories; but be sure to use "+"
+# as the first element if you want to continue blacklisting existing
+# directories. You might use this token to keep EFI/boot/bootx64.efi out
+# of the menu if that's a duplicate of another boot loader or to exclude
+# a directory that holds drivers or non-bootloader utilities provided by
+# a hardware manufacturer. If a directory is listed both here and in
+# also_scan_dirs, dont_scan_dirs takes precedence. Note that this
+# blacklist applies to ALL the filesystems that rEFInd scans, not just
+# the ESP, unless you precede the directory name by a filesystem name,
+# as in "myvol:EFI/somedir" to exclude EFI/somedir from the scan on the
+# myvol volume but not on other volumes.
+#
+#dont_scan_dirs ESP:/EFI/boot,EFI/Dell,EFI/memtest86
+
+# Files that should NOT be included as EFI boot loaders (on the
+# first line of the display). If you're using a boot loader that
+# relies on support programs or drivers that are installed alongside
+# the main binary or if you want to "blacklist" certain loaders by
+# name rather than location, use this option. Note that this will
+# NOT prevent certain binaries from showing up in the second-row
+# set of tools. Most notably, various Secure Boot and recovery
+# tools are present in this list, but may appear as second-row
+# items.
+# The file may be specified as a bare name (e.g., "notme.efi"), as
+# a complete filename (e.g., "/EFI/somedir/notme.efi"), or as a
+# complete filename with volume (e.g., "SOMEDISK:/EFI/somedir/notme.efi").
+# The default is shim.efi,shim-fedora.efi,shimx64.efi,PreLoader.efi,
+# TextMode.efi,ebounce.efi,GraphicsConsole.efi,MokManager.efi,HashTool.efi,
+# HashTool-signed.efi,bootmgr.efi
+#
+#dont_scan_files shim.efi,MokManager.efi