cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
yoda1
Level 8
Report Inappropriate Content
Message 1 of 5

Threat Prevention Exclusion

Jump to solution

Hi

For a new environment in the on access and on demand scan policy for my SQL server I have excluded folder c:\Program Files\Microsoft SQL Server\ by adding **\Program Files\Microsoft SQL Server\** in the exclusions. My Aim is to also exclude all subfolders and I was thinking the ** achieves that, is that correct? Also then why is there a checkbox "Also exclude subfolders"

Also I have more exclusions for Domain Controller as per Microsoft. I have the Threat prevention and ATP, is there any else that would need to be turned off from the default policy for DC? I dont want to cause any issues to the DC obviously but also lessen the security.

regards

Jay

2 Solutions

Accepted Solutions
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Threat Prevention Exclusion

Jump to solution

Hi Jay,

The use of double asterisk can also be used to exclude subfolders when used in the following context.

C:\Temp\** - Excludes C:\Temp & its subfolders.

**\Temp\** - Excludes Temp anywhere in the system & its subfolders.

The other way to exclude a directory is by using "Also Exclude Subfolders"

Ex:- C:\Temp\ & Check the box to include subfolders. (It requires a "\" to enable option to choose subfolders )

Double asterisk is commonly used in a situation where a folder needs to be excluded in multiple depths. Please read about in the link below.

https://kc.mcafee.com/corporate/index?id=KB50998&page=content&pmv=print

There are no compatibility issues with ENS & Domain Controller. Incase you're planning to deploy just TP & ATP, its best to configure the following in observe mode.

1) AMSI under On-Access Scan

2) Adaptive Threat Protection

Monitor the events for any false positive and tune the policy as you go.

Hope it helps.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Threat Prevention Exclusion

Jump to solution

Hi @yoda1 ,

The basic idea is to have the system run all programs. If there are block events, it can be addressed by tweaking the policies. The events should stop as we continue to make changes. 

Depending on the environment, the process may take anywhere from few days to couple of weeks.

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

4 Replies
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Threat Prevention Exclusion

Jump to solution

Hi Jay,

The use of double asterisk can also be used to exclude subfolders when used in the following context.

C:\Temp\** - Excludes C:\Temp & its subfolders.

**\Temp\** - Excludes Temp anywhere in the system & its subfolders.

The other way to exclude a directory is by using "Also Exclude Subfolders"

Ex:- C:\Temp\ & Check the box to include subfolders. (It requires a "\" to enable option to choose subfolders )

Double asterisk is commonly used in a situation where a folder needs to be excluded in multiple depths. Please read about in the link below.

https://kc.mcafee.com/corporate/index?id=KB50998&page=content&pmv=print

There are no compatibility issues with ENS & Domain Controller. Incase you're planning to deploy just TP & ATP, its best to configure the following in observe mode.

1) AMSI under On-Access Scan

2) Adaptive Threat Protection

Monitor the events for any false positive and tune the policy as you go.

Hope it helps.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

yoda1
Level 8
Report Inappropriate Content
Message 3 of 5

Re: Threat Prevention Exclusion

Jump to solution

Thanks for the confirmation regarding the exclusion.

In regards to observation mode, scope has changed so I will also have solidcore and firewall.

So plan is to leave solidcore in observation mode and firewall in adaptive mode including the

AMSI under On-Access Scan and Adaptive Threat Protection in observe mode. Can you advise how long should the systems be left in observe mode if it is a brand new environment?

Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Threat Prevention Exclusion

Jump to solution

Hi @yoda1 ,

The basic idea is to have the system run all programs. If there are block events, it can be addressed by tweaking the policies. The events should stop as we continue to make changes. 

Depending on the environment, the process may take anywhere from few days to couple of weeks.

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

yoda1
Level 8
Report Inappropriate Content
Message 5 of 5

Re: Threat Prevention Exclusion

Jump to solution

ok thanks Pravas

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community