cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 8

Wildcards in Exclusions

Hi,

I am trying to add an Exclusion (the xx part varies for each user)

\AppData\Local\Temp\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}-84.0.4147.125_84.0.4147.105_chrome_updater.exe

for a GLP in one of our Rule Groups & found this information:

https://kc.mcafee.com/corporate/index?page=content&id=KB54812

Then I tried the following paths and it's not working:

\AppData\Local\Temp\*chrome_updater.exe

\AppData\Local\Temp\{????????-????-????-????-????????????}-84.0.4147.125_84.0.4147.105_chrome_updater.exe 

\AppData\Local\Temp\{????????-????-????-????-????????????}-*_chrome_updater.exe 

Since I don't want to exclude the whole Temp folder and neither all .exe files in Temp I would like to know if it's possible to to specify the path for all files ending with chrome_updater.exe and how to do it.

Thanks in advance & kind regards!

7 Replies
BenEllis
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: Wildcards in Exclusions

first off what kind of exclusion are you trying to add,

 

Advanced Event Filter,  Skiplist, Memory Protection?  what is the full event? 

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 8

Re: Wildcards in Exclusions

Hi, sorry for not including more information.

Event Display Name: File Write denied

Process Name: C:\Windows\System32\svchost.exe

When trying to create a Policy: Updater rule cannot be made for Generic launcher process.

Which is why I went to Rule Group -> Exclusions -> Advanced Options -> Exclude path from write-protection rule

which would be skiplist -d, if I am not mistaken.

Hope that helps!

BenEllis
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: Wildcards in Exclusions

Thank you that does help. Can you show me the event please? 

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 8

Re: Wildcards in Exclusions

Thanks for your fast reply!

I attached the event.

BenEllis
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 8

Re: Wildcards in Exclusions

So this is the document you need to look at.

 

https://docs.mcafee.com/bundle/application-control-8.3.x-product-guide-windows/page/GUID-3A8AE466-27...

 

but unfortunately in the skiplist -d you cannot use wildcards at the beginning of the file name. 

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Former Member
Not applicable
Report Inappropriate Content
Message 7 of 8

Re: Wildcards in Exclusions

Okay, thank you for linking that post.

But if the file starts with "{" shouldn't it be working?

I tried it and got the error message in the attached picture.

Also:

\AppData\Local\Temp\{????????-????-????-????-????????????}-84.0.4147.125_84.0.4147.105_chrome_updater.exe 

is accepted as input for a relative path but is not functioning the way I want it to.

(I counted the question marks numerous times just to be sure I typed the correct amount)

Is there something else I'm missing? 

P.S. Is my assumption that the wildcard "*" can stand for special characters (like { or ? or / etc.) as well as "normal" letters & numbers correct?

Former Member
Not applicable
Report Inappropriate Content
Message 8 of 8

Re: Wildcards in Exclusions

@BenEllis 

My guess is that it is generally not advised to exclude the User Temp folder as a whole- so what would somebody do if you have multiple events from a GLP with different file names for around 200 users which all start with a different hex string? 

As I found out today: the hash value remains the same, but I don't quite see if this is helping at all.

The file needs to be allowed to be modified and executed by 

C:\Windows\System32\svchost.exe

 

Thanks for your help! 

P.S: I still made no progress with the questions posted in my previous post, any tipps would be greatly appreciated 🙂

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community