cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
User91972758
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 7

ENSLTP Splunk Exceptions

Jump to solution

Hello everyone,

 

I'm working on setting up McAfee Endpoint Security OAS exclusions for our Splunk environment, and I'm not seeing much success in keeping the mfetpd process from pretty much cratering these systems

 

I've reviewed the exclusion list provided by Splunk, but that does not seem to be of much help. Would anyone be willing / able to share their list of exclusions they use? The document from Splunk I used can be found here. I find it unfortunately a bit tough to do the process exclusions since from what I've experienced in OAS is they have to be exact to the path without any wildcards.

1 Solution

Accepted Solutions
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: ENSLTP Splunk Exceptions

Jump to solution

Hi @User91972758 ,

Yes, you should be able to use just process names. 

Here's another KB that explains how to test a low risk exclusion.

https://kc.mcafee.com/corporate/index?page=content&id=KB93410&locale=en_US

Hope this helps.

Thanks

View solution in original post

6 Replies
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: ENSLTP Splunk Exceptions

Jump to solution

Hi @User91972758 ,

You may also add Splunk Process as Low Risk under On-Access Exclusion. Adding path ensures the process is only excluded if it matches the path. Its also possible to just add process names.

Please read more about it in the links below.

1) Why some processes must be added to low-risk exclusions

https://kc.mcafee.com/corporate/index?page=content&id=KB66036

2) Understanding High-Risk, Low-Risk, and Default processes configuration and use

https://kc.mcafee.com/corporate/index?page=content&id=KB55139

Thanks

User91972758
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 7

Re: ENSLTP Splunk Exceptions

Jump to solution
Good Morning Pravas,

Excellent! I really appreciate the information. I will try and review those KB's later on today, and hopefully they'll be of some use, definitely have my hopes up it will help in reducing my impact to our *nix environment.
User91972758
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: ENSLTP Splunk Exceptions

Jump to solution
Just to try and verify this theory, for our *nix exclusions, I could add some of the following, verbatim, as a process exclusion?

python
splunk
splunkd
splunkmon
tsidxprobe
tsidxprobe_plo
walklex

From previous experience and discussions with other McAfee employees it has seemed we need the explicit path to processes, at least for the ENSLTP. If we are able to just use the process name, then that would be great!
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: ENSLTP Splunk Exceptions

Jump to solution

Hi @User91972758 ,

Yes, you should be able to use just process names. 

Here's another KB that explains how to test a low risk exclusion.

https://kc.mcafee.com/corporate/index?page=content&id=KB93410&locale=en_US

Hope this helps.

Thanks

View solution in original post

User91972758
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: ENSLTP Splunk Exceptions

Jump to solution
Unfortunately this one doesn't show how to mimic a process exclusion in Linux, but I'm sure I can pretty much monitor by if files are read / written to by a process, then reviewing the OAS logs. That will be my ultimate test.

I appreciate your time and input for this!
User91972758
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 7

Re: ENSLTP Splunk Exceptions

Jump to solution

In case any others had any questions, Pravas was correct. You can just exclude by process name. For example, I actually ended up having to exclude the dbssensor process because OAS was scanning it. Which is the processed used for the McAfee Database Activity Monitor application.

 

I was able to verify this worked by reviewing the threat events recorded in ePO and looking at the threat target process name which was used.

 

Once I added the exclusion I sent a wake-up call to my systems with the newly updated policy, and checked my hourly report I had previously made, and the alerts went from a couple of thousand down to 2, due to me having not woken a system up.

 

Thanks again @Pravas for your assistance in providing information to further clarify this, it was much appreciated!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community