What will be the expected behavior if I add the lists of paths and their subdirectories to the Low-Risk profile without actually adding a particular .exe file?
My somewhat educated guess will be that any .exe file writing/reading from those paths won't get scanned.
Am I correct?
Solved! Go to Solution.
Hi @chelo83 ,
The standard/high/low risk OAS profiles are essentially "Buckets" for defining what behavior the scanner will take when observing activity based on that process' status as a defined high/low risk process or undefined as a standard process.
If you define "process.exe" as a low risk process, it will then follow the settings you've configured in the Low Risk tab of your policy. If this is set to not scan, then the process' activity will not be scanned. If you define it as a High Risk process, then it will scan following the configuration within your High Risk tab, and will not honor the exclusions you've configured in your Standard tab.
That all being said - Unless a process is specifically defined as a low risk process, it will not behave as a low risk process. Only executables can be added as low risk processes, files/directories on the disk cannot be added and have the processes accessing those locations fall under "low risk" as a result.
Let me know if that makes sense, or if you have any further questions on the subject.
The scenario you described will not render any use. Since no processes are classified under low risk process and only files/folders exclusions you have added, when these files/folders are accessed scan will occur according to settings of Standard and High Risk settings. This is because High risk setting will apply for processes under High Risk accessing any files under these lists of paths and their sub-directories. Standard settings will apply for processes not classified as High Risk or Low Risk.