cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Pixels
Level 9
Report Inappropriate Content
Message 1 of 2

Exclusion in OAS policy not applying

Jump to solution

Hi,

 

I have created an exclusion for CcmExec.exe in my OAS policy under exclusions.  When running the Profiler I'm seeing that it's still being scanned for Process Risk Default.

On this endpoint there is only 1 policy for On-Access and is not split with High-Low policies.  Where is the "Default" process risk?  The exclusion is set under "Process Type - Standard" under "Exclusions".

 

1111.PNG22222.PNG

1 Solution

Accepted Solutions
McAfee Employee akatt
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Exclusion in OAS policy not applying

Jump to solution

The Profiler is showing that behavior, because the entered exclusion is a file exclusion.  Meaning, we have told the On-Access Scanner to never scan the file named ccmexec.exe.  

If the intentions are to tell the On-Access Scanner to never monitor ANY disk activity caused by the process, we have to:

--Enable the option to use Default/Low/High-risk proceess policies (within the Default processes policy in ePO)

--Add the process named ccmexec.exe as a low-risk process

--Uncheck the scan on read, and scan on write, options within the low-risk processes policy.

In doing so, we are allowing the process to run, unhindered by scanning, no matter what file it reads from, or writes to, on disk.  The following KB might also be helpful in understanding this feature more.

https://kc.mcafee.com/corporate/index?page=content&id=KB55139


Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

1 Reply
McAfee Employee akatt
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Exclusion in OAS policy not applying

Jump to solution

The Profiler is showing that behavior, because the entered exclusion is a file exclusion.  Meaning, we have told the On-Access Scanner to never scan the file named ccmexec.exe.  

If the intentions are to tell the On-Access Scanner to never monitor ANY disk activity caused by the process, we have to:

--Enable the option to use Default/Low/High-risk proceess policies (within the Default processes policy in ePO)

--Add the process named ccmexec.exe as a low-risk process

--Uncheck the scan on read, and scan on write, options within the low-risk processes policy.

In doing so, we are allowing the process to run, unhindered by scanning, no matter what file it reads from, or writes to, on disk.  The following KB might also be helpful in understanding this feature more.

https://kc.mcafee.com/corporate/index?page=content&id=KB55139


Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center