cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
User91972758
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 9

ENSLTP Splunk Exceptions

Jump to solution

Hello everyone,

 

I'm working on setting up McAfee Endpoint Security OAS exclusions for our Splunk environment, and I'm not seeing much success in keeping the mfetpd process from pretty much cratering these systems

 

I've reviewed the exclusion list provided by Splunk, but that does not seem to be of much help. Would anyone be willing / able to share their list of exclusions they use? The document from Splunk I used can be found here. I find it unfortunately a bit tough to do the process exclusions since from what I've experienced in OAS is they have to be exact to the path without any wildcards.

1 Solution

Accepted Solutions
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 9

Re: ENSLTP Splunk Exceptions

Jump to solution

Hi @User91972758 ,

Yes, you should be able to use just process names. 

Here's another KB that explains how to test a low risk exclusion.

https://kc.mcafee.com/corporate/index?page=content&id=KB93410&locale=en_US

Hope this helps.

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

8 Replies
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: ENSLTP Splunk Exceptions

Jump to solution

Hi @User91972758 ,

You may also add Splunk Process as Low Risk under On-Access Exclusion. Adding path ensures the process is only excluded if it matches the path. Its also possible to just add process names.

Please read more about it in the links below.

1) Why some processes must be added to low-risk exclusions

https://kc.mcafee.com/corporate/index?page=content&id=KB66036

2) Understanding High-Risk, Low-Risk, and Default processes configuration and use

https://kc.mcafee.com/corporate/index?page=content&id=KB55139

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

User91972758
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 9

Re: ENSLTP Splunk Exceptions

Jump to solution
Good Morning Pravas,

Excellent! I really appreciate the information. I will try and review those KB's later on today, and hopefully they'll be of some use, definitely have my hopes up it will help in reducing my impact to our *nix environment.
User91972758
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 9

Re: ENSLTP Splunk Exceptions

Jump to solution
Just to try and verify this theory, for our *nix exclusions, I could add some of the following, verbatim, as a process exclusion?

python
splunk
splunkd
splunkmon
tsidxprobe
tsidxprobe_plo
walklex

From previous experience and discussions with other McAfee employees it has seemed we need the explicit path to processes, at least for the ENSLTP. If we are able to just use the process name, then that would be great!
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 9

Re: ENSLTP Splunk Exceptions

Jump to solution

Hi @User91972758 ,

Yes, you should be able to use just process names. 

Here's another KB that explains how to test a low risk exclusion.

https://kc.mcafee.com/corporate/index?page=content&id=KB93410&locale=en_US

Hope this helps.

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

User91972758
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 9

Re: ENSLTP Splunk Exceptions

Jump to solution
Unfortunately this one doesn't show how to mimic a process exclusion in Linux, but I'm sure I can pretty much monitor by if files are read / written to by a process, then reviewing the OAS logs. That will be my ultimate test.

I appreciate your time and input for this!
User91972758
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 9

Re: ENSLTP Splunk Exceptions

Jump to solution

After extensive testing and some communication with support engineers from McAfee it has been  determined that for Linux exclusions in OAS, when adding an item to the process exclusion list the item needs to be the full and explicit path.

For example, the following would need to be added to exclude dbssensor process in the low-risk process exclusions, in order for them to work properly:

/usr/local/mfedbs.sensor/bin/dbssensor

This only seems to be the case for Linux though, as wildcards or just the process name itself are able to be used for Windows.

gururaj
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 9

Re: ENSLTP Splunk Exceptions

Jump to solution

Hi,

yes, you need to have absolute path NOTE: For Linux, the process name must be the absolute path of the binary getting executed instead of just a process name.

https://docs.mcafee.com/bundle/endpoint-security-10.7.0-threat-prevention-product-guide-linux/page/G...

Regards,

Gururaj.m.d

User91972758
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 9 of 9

Re: ENSLTP Splunk Exceptions

Jump to solution
That's awesome, I'm glad there seems to be some documentation around that. It's taken quite a while to determine if it needed to be explicit as I've heard different things depending on who I've talked with for support.

I will definitely be bookmarking / subscribing to that specific document for any changes that might be made.
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community