cancel
Showing results for 
Search instead for 
Did you mean: 
Pixels
Level 9
Report Inappropriate Content
Message 1 of 2

Exclusion in OAS policy not applying

Jump to solution

Hi,

 

I have created an exclusion for CcmExec.exe in my OAS policy under exclusions.  When running the Profiler I'm seeing that it's still being scanned for Process Risk Default.

On this endpoint there is only 1 policy for On-Access and is not split with High-Low policies.  Where is the "Default" process risk?  The exclusion is set under "Process Type - Standard" under "Exclusions".

 

1111.PNG22222.PNG

1 Solution

Accepted Solutions
McAfee Employee akatt
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Exclusion in OAS policy not applying

Jump to solution

The Profiler is showing that behavior, because the entered exclusion is a file exclusion.  Meaning, we have told the On-Access Scanner to never scan the file named ccmexec.exe.  

If the intentions are to tell the On-Access Scanner to never monitor ANY disk activity caused by the process, we have to:

--Enable the option to use Default/Low/High-risk proceess policies (within the Default processes policy in ePO)

--Add the process named ccmexec.exe as a low-risk process

--Uncheck the scan on read, and scan on write, options within the low-risk processes policy.

In doing so, we are allowing the process to run, unhindered by scanning, no matter what file it reads from, or writes to, on disk.  The following KB might also be helpful in understanding this feature more.

https://kc.mcafee.com/corporate/index?page=content&id=KB55139


Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

1 Reply
McAfee Employee akatt
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Exclusion in OAS policy not applying

Jump to solution

The Profiler is showing that behavior, because the entered exclusion is a file exclusion.  Meaning, we have told the On-Access Scanner to never scan the file named ccmexec.exe.  

If the intentions are to tell the On-Access Scanner to never monitor ANY disk activity caused by the process, we have to:

--Enable the option to use Default/Low/High-risk proceess policies (within the Default processes policy in ePO)

--Add the process named ccmexec.exe as a low-risk process

--Uncheck the scan on read, and scan on write, options within the low-risk processes policy.

In doing so, we are allowing the process to run, unhindered by scanning, no matter what file it reads from, or writes to, on disk.  The following KB might also be helpful in understanding this feature more.

https://kc.mcafee.com/corporate/index?page=content&id=KB55139


Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community