cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
chelo83
Level 8
Report Inappropriate Content
Message 1 of 5
‎12-19-2019 12:53 PM

Exclusions behavior

Jump to solution

What will be the expected behavior if I add the lists of paths and their subdirectories to the Low-Risk profile without actually adding a particular .exe file?

My somewhat educated guess will be that any .exe file writing/reading from those paths won't get scanned.

Am I correct?

0 Kudos
Reply
1 Solution

Accepted Solutions
mmuthuga
Employee
Employee
Report Inappropriate Content
Message 5 of 5
‎12-24-2019 01:03 AM

Re: Exclusions behavior

Jump to solution

Add the lists of paths and their subdirectories to other two tabs(Standard & High Risk) as well to exclude scanning when any .exe file writing/reading from those paths.

View solution in original post

Reply
4 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 5
‎12-19-2019 12:58 PM

Re: Exclusions behavior

Jump to solution

Hi @chelo83 ,

The standard/high/low risk OAS profiles are essentially "Buckets" for defining what behavior the scanner will take when observing activity based on that process' status as a defined high/low risk process or undefined as a standard process.

If you define "process.exe" as a low risk process, it will then follow the settings you've configured in the Low Risk tab of your policy. If this is set to not scan, then the process' activity will not be scanned. If you define it as a High Risk process, then it will scan following the configuration within your High Risk tab, and will not honor the exclusions you've configured in your Standard tab.

That all being said - Unless a process is specifically defined as a low risk process, it will not behave as a low risk process. Only executables can be added as low risk processes, files/directories on the disk cannot be added and have the processes accessing those locations fall under "low risk" as a result.

Let me know if that makes sense, or if you have any further questions on the subject.

Thank you,

Reply
patrakshar
Employee
Employee
Report Inappropriate Content
Message 3 of 5
‎12-19-2019 03:10 PM

Re: Exclusions behavior

Jump to solution

Kindly look at the below article. It might help.

https://kc.mcafee.com/corporate/index?page=content&id=KB55139

Reply
mmuthuga
Employee
Employee
Report Inappropriate Content
Message 4 of 5
‎12-23-2019 11:48 PM

Re: Exclusions behavior

Jump to solution

The scenario you described will not render any use. Since no processes are classified under low risk process and only files/folders exclusions you have added, when these files/folders are accessed scan will occur according to settings of Standard and High Risk settings. This is because High risk setting will apply for processes under High Risk accessing any files under these lists of paths and their sub-directories. Standard settings will apply for processes not classified as High Risk or Low Risk.

Reply
mmuthuga
Employee
Employee
Report Inappropriate Content
Message 5 of 5
‎12-24-2019 01:03 AM

Re: Exclusions behavior

Jump to solution

Add the lists of paths and their subdirectories to other two tabs(Standard & High Risk) as well to exclude scanning when any .exe file writing/reading from those paths.

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC