cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JePO1
Level 9
Report Inappropriate Content
Message 1 of 4

Does an Adaptive Threat Protection process exclusion have to be explicit?

Hi, 

I'm tuning Adaptive Threat Protection in our environment and I've been writing some exclusions using wildcards for both directories and file name. For example, I'll add "C:\Program Files\Example Software\**\*.exe" in the list of Standard Process exclusions for the OAS with the objective of excluding all files ending in ".exe" in any folder under "C:\Program Files\Example Software". 

The ENS Product Guide states "On-access scan Standard process exclusions specified by file name or file path apply to all ATP scanners, including Dynamic Application Containment and Real Protect. On-access scan exclusions specified by file type or age don't apply to ATP. ATP supports the same wildcards in path-based exclusions as Threat Prevention does."

Will my method of wildcarding the process name work for ATP, or is that considered a file type exclusion which won't work? I'd rather not manually create exclusions for every executable that triggers these rules if the process names don't have to be explicit. 

3 Replies
AjaySundar
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Does an Adaptive Threat Protection process exclusion have to be explicit?

Hi @JePO1,

Good day to you!

As far as the ATP is concerned it honors the process based exclusion that you list under the standard settings only, exclusions added under the high/low risk are not considered.

The exclusion that you have added should be as below:

"C:\Program Files\Example Software\*\*.exe"

You could also use the McAfee TIE to whitelist the executables as know trusted if you are not okay with adding the exclusions.

I hope this helps.

Regards,

AJ

JePO1
Level 9
Report Inappropriate Content
Message 3 of 4

Re: Does an Adaptive Threat Protection process exclusion have to be explicit?

Thanks for the reply. 

I thought single asterisk does not cross folder boundaries? 

Also, just to clarify, will an exclusion written the way you listed be honored by ATP? We don't have a TIE server, so we are reliant on the Standard Process Exclusions for ATP exclusions.

AjaySundar
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Does an Adaptive Threat Protection process exclusion have to be explicit?

Hi @JePO1,

The exclusion that I provided should work as expected.

To test the exclusion, using the test file attached to the article below:

https://kc.mcafee.com/corporate/index?page=content&id=KB88828

If the exclusion is working as expected you should see the below entry on the ATP activity logs:

2021-01-14 05:47:08.587Z|Activity|Orchestrator |mfeatp | 5576| 8096|ExclusionScan |post_scan_actions.cpp(601) | Skipping scan for excluded file C:\Users\admin\Desktop\RealProtect-TestFile_11001\RP-D TestFile.exe

I hope this helps.

Regards,

AJ

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community