cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
fattonymaximus
Level 9
Report Inappropriate Content
Message 1 of 5
‎02-01-2019 01:13 AM

Exclusions by file type with VSE and Threat Prevention

Jump to solution

Hi All,

A really stupid question but just want to clarify it, when adding exclusions on EPO there are different ways of adding specific files. What is the best process for adding specific files to EPO for VSE and Threat Prevention?

 

Example 1 : just add the file name as an exclusion batchfile.exe

Example 2 : **\batchfile.exe

Example 3 : C:\folder1\batchfile.exe

 

I presume all are acceptable ways of doing it, or does one option cause performance issues using either VSE or Threat Prevention?

Regards

Labels (1)
Labels
0 Kudos
Reply
2 Solutions

Accepted Solutions
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 5
‎02-01-2019 01:36 AM

Re: Exclusions by file type with VSE and Threat Prevention

Jump to solution

I don't know if you are aware of this KB - but just to make note of it here. Here is the article which speaks about using wildcards within your OAS exclusions: https://kc.mcafee.com/corporate/index?page=content&id=KB54812

And also this one - understanding high/ low risk process configuration, is very useful:
https://kc.mcafee.com/corporate/index?page=content&id=KB55139


Processes should be defined as low or high risk processes depending on if you are excluding them or if you are wanting them to be scanned more frequently.
By adding a .exe file to the default exclusion list, you would merely be excluding the file from scanning - not the actual process.

System Environmental Variables such as %SystemRoot% can be used in exclusions.
User Environmental Variables such as %UserProfile% cannot be used, because the on‑access scanner runs under the Windows Local System account.

View solution in original post

0 Kudos
Reply
akatt
Employee
Employee
Report Inappropriate Content
Message 5 of 5
‎02-01-2019 01:59 PM

Re: Exclusions by file type with VSE and Threat Prevention

Jump to solution

Depending on how the exclusion is added, there are differences in how the exclusions are handled.

For example, entering an exclusion as a file-type exclusion, using the file-type option, allows the Anti-virus filter driver in the kernel to ignore the file-type, so McShield in user-mode never gets asked to check/scan the file.

If we enter the same type of exclusion as a file/folder exclusion, let's say by entering *.txt as the file/folder exclusion, then the files are still passed to McShield in user-mode, which then checks its exclusion list, and then determines that the files should be excluded.

In this scenario, if we are sure that we never want to scan a specific file-type, it is best to enter the exclusion as a file-type exclusion.

This same behavior (with the filter driver not asking McShield to check the files), occurs when using the low-risk processes policy to define a process as low-risk, and when also unchecking the scan on read/write options.  The filter driver is "intelligent" enough in these scenarios, to ignore the requests, so that McShield doesn't have to do the check.

In terms of the syntax there are differences in how much effort McShield has to endure, in order to properly honor the different methods of entering a file/folder exclusion, with the wild-card usage incurring the most impact.  That being said, the opertaions as so quick that they shouldn't be noticeable from a user perspective.  In terms of work incurred, from highest to lowest, it would be:

**\example.txt
C:\<path>\example.txt
example.txt 

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

 

View solution in original post

0 Kudos
Reply
4 Replies
fattonymaximus
Level 9
Report Inappropriate Content
Message 2 of 5
‎02-01-2019 01:15 AM

Re: Exclusions by file type with VSE and Threat Prevention

Jump to solution
Also will EPO accept exclusions with percentage symbols in them?
Example %alluserprofiles%\programdata\
0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 5
‎02-01-2019 01:36 AM

Re: Exclusions by file type with VSE and Threat Prevention

Jump to solution

I don't know if you are aware of this KB - but just to make note of it here. Here is the article which speaks about using wildcards within your OAS exclusions: https://kc.mcafee.com/corporate/index?page=content&id=KB54812

And also this one - understanding high/ low risk process configuration, is very useful:
https://kc.mcafee.com/corporate/index?page=content&id=KB55139


Processes should be defined as low or high risk processes depending on if you are excluding them or if you are wanting them to be scanned more frequently.
By adding a .exe file to the default exclusion list, you would merely be excluding the file from scanning - not the actual process.

System Environmental Variables such as %SystemRoot% can be used in exclusions.
User Environmental Variables such as %UserProfile% cannot be used, because the on‑access scanner runs under the Windows Local System account.

0 Kudos
Reply
vnaidu
MVP
Report Inappropriate Content
Message 4 of 5
‎02-01-2019 01:58 AM

Re: Exclusions by file type with VSE and Threat Prevention

Jump to solution

@fattonymaximus 

I would like you to follow the KB article to understand the wildcard exclusions by following the KB54812.

In addition to this, you would like to Determine which risk applies to each process using these guidelines:

Low-risk — Processes with less possibility of spreading or introducing a potential
threat. These can be processes that access many files, but in a way that has a
lower risk of spreading potential threats. For example:Backup software Compiling processes

High-risk — Processes with a greater possibility of spreading or introducing a
potential threat. For example:
Processes that launch other processes, such as Microsoft Windows Explorer or
the command prompt.
Processes that execute scripts or macros, such as WINWORD or CSCRIPT.
Processes used for downloading from the internet, such as browsers, instant
messengers, or mail clients.

Default — Any process not defined as low-risk or high-risk.

 

Cheers!!!!!!!

Venu
0 Kudos
Reply
akatt
Employee
Employee
Report Inappropriate Content
Message 5 of 5
‎02-01-2019 01:59 PM

Re: Exclusions by file type with VSE and Threat Prevention

Jump to solution

Depending on how the exclusion is added, there are differences in how the exclusions are handled.

For example, entering an exclusion as a file-type exclusion, using the file-type option, allows the Anti-virus filter driver in the kernel to ignore the file-type, so McShield in user-mode never gets asked to check/scan the file.

If we enter the same type of exclusion as a file/folder exclusion, let's say by entering *.txt as the file/folder exclusion, then the files are still passed to McShield in user-mode, which then checks its exclusion list, and then determines that the files should be excluded.

In this scenario, if we are sure that we never want to scan a specific file-type, it is best to enter the exclusion as a file-type exclusion.

This same behavior (with the filter driver not asking McShield to check the files), occurs when using the low-risk processes policy to define a process as low-risk, and when also unchecking the scan on read/write options.  The filter driver is "intelligent" enough in these scenarios, to ignore the requests, so that McShield doesn't have to do the check.

In terms of the syntax there are differences in how much effort McShield has to endure, in order to properly honor the different methods of entering a file/folder exclusion, with the wild-card usage incurring the most impact.  That being said, the opertaions as so quick that they shouldn't be noticeable from a user perspective.  In terms of work incurred, from highest to lowest, it would be:

**\example.txt
C:\<path>\example.txt
example.txt 

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

 

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC