cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mcoia
Level 7
Report Inappropriate Content
Message 1 of 2

Do we no longer need exclusions for on-access scanning?

In 2020, we migrated to Endpoint Security Threat Prevention 10.7 from VirusScan Enterprise 8.8. It seems the On-Access Scan policy we migrated is causing some issues now. I am trying to create a new policy from scratch and during my research, I found McAfee article KB66909 that states "The Microsoft exclusions and McAfee applications listed in this article aren’t needed for ENS. Exclusions aren’t needed when the ENS option Let McAfee Decide is selected." I find this vey hard to believe. Has anyone had experience with just using the option "Let McAfee Decide" and noticing issues on their servers? https://kc.mcafee.com/corporate/index?page=content&id=KB66909
1 Reply
Sivakumar1
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Do we no longer need exclusions for on-access scanning?

Hello @mcoia . Thank you for reaching us in McAfee Enterprise Community. As dsicussed, The Microsoft exclusions and McAfee applications listed in this article aren’t needed for ENS. Exclusions aren’t needed when the ENS option Let McAfee Decide is selected as it follows as it uses the AMCore trust model for scan avoidance.

AMCore does an initial scan of the Actors in an endpoint, and does an initial classification of its
state, based on the body of knowledge that AMCore has available to it. This initial scan is
extremely low-impact (i.e. it is very fast) as it is not the same as doing signature scanning –
rather it is performing a rapid initial state classification.

The core idea is this: If it is necessary to signature scan a file, then it takes time to scan that file.
If you can avoid signature scanning the file you will save time (i.e. increase performance).

For example, if there is an installer or executable file that has a valid Microsoft certificate, then
yes, it does take time to retrieve the certificate and validate it. However, that installer may
spawn many other files that inherit the trust of the installer without having to empirically
check the trust of every file that the installer places. This dramatically reduces the signature
scanning burden and illustrates the core of the AMCore performance model.
Of course, there are obvious exceptions. For example, there are certain applications like
browsers, where the browser binary is trusted, but the items the browser loads cannot be, as it
is known that the browser can be instructed to load things that are malicious in nature.
Microsoft Office is another good example, where the components and libraries of “Office
proper” can be trusted, but documents that are ingested into Microsoft Office cannot all be
trusted.
However, the performance model still has validity in that most of the items that trusted
applications load can be trusted in the same way as the application that is ingesting the item.
The bottom line is that this approach can be used to dramatically reduce the number of items
that require signature scanning and certificate validation.
Therefore, increased performance is directly related to “scan avoidance”, and having trusted
certificates for items like trusted installers is key to providing good performance.

Conversely, if the system is missing trusted certificates for an installer that should be trusted, then the
AMCore performance model will drop back to the default mode of certificate scanning every
file that is placed by the installer in question. Knowing what to trust is key to performance.
Maintaining an up-to-date whitelist is therefore important to this performance model. I have also attached the document with this to know more about the AM core Perforamnce Model.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community