cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 9
Report Inappropriate Content
Message 1 of 2

Exclusion in OAS policy not applying

Jump to solution

Hi,

 

I have created an exclusion for CcmExec.exe in my OAS policy under exclusions.  When running the Profiler I'm seeing that it's still being scanned for Process Risk Default.

On this endpoint there is only 1 policy for On-Access and is not split with High-Low policies.  Where is the "Default" process risk?  The exclusion is set under "Process Type - Standard" under "Exclusions".

 

1111.PNG22222.PNG

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Exclusion in OAS policy not applying

Jump to solution

The Profiler is showing that behavior, because the entered exclusion is a file exclusion.  Meaning, we have told the On-Access Scanner to never scan the file named ccmexec.exe.  

If the intentions are to tell the On-Access Scanner to never monitor ANY disk activity caused by the process, we have to:

--Enable the option to use Default/Low/High-risk proceess policies (within the Default processes policy in ePO)

--Add the process named ccmexec.exe as a low-risk process

--Uncheck the scan on read, and scan on write, options within the low-risk processes policy.

In doing so, we are allowing the process to run, unhindered by scanning, no matter what file it reads from, or writes to, on disk.  The following KB might also be helpful in understanding this feature more.

https://kc.mcafee.com/corporate/index?page=content&id=KB55139


Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

1 Reply
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Exclusion in OAS policy not applying

Jump to solution

The Profiler is showing that behavior, because the entered exclusion is a file exclusion.  Meaning, we have told the On-Access Scanner to never scan the file named ccmexec.exe.  

If the intentions are to tell the On-Access Scanner to never monitor ANY disk activity caused by the process, we have to:

--Enable the option to use Default/Low/High-risk proceess policies (within the Default processes policy in ePO)

--Add the process named ccmexec.exe as a low-risk process

--Uncheck the scan on read, and scan on write, options within the low-risk processes policy.

In doing so, we are allowing the process to run, unhindered by scanning, no matter what file it reads from, or writes to, on disk.  The following KB might also be helpful in understanding this feature more.

https://kc.mcafee.com/corporate/index?page=content&id=KB55139


Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community