cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rbecker
Level 9
Report Inappropriate Content
Message 1 of 6

Correct exclusions

We are trying to exclude files related to an older ticket and are using the following exclusions to try to stop FILE_nsDriver32Sys from being deleted.  It would appear that the following wildcard rules did not work:

 

c:\**\FILE_nsDriver32Sys

or c:\*\FILE_nsDriver32Sys

 

We are trying to exclude that "FILE_nsDriver32Sys" from being scanned anywhere on the c:\ drive.

Are these exclusions written wrong or are they correct?

The "File_nsDriver32Sys" lives within a .cab file, which is within a .msi file that has a randomly generated number as its filename like this (which is why I wildcarded the name):

C:\windows\installer\*.msi\nsagent.cab\File_nsDriver32Sys

I am trying to get our ePO administrator to add the entire path shown above as an exclusion, but why didn't the other exclusions of c:\**\File_nsDriver32Sys not work?

 

5 Replies
AjaySundar
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Correct exclusions

Hi @rbecker,

Good day to you!

Could you please provide the log where the detection is recorded so we could check it further?

We would like to see the process that is detecting the file, additionally, could you also confirm if you are using a standard scan profile or a risk-based scan profile for on-access scanning?

Thanks,

AJ

rbecker
Level 9
Report Inappropriate Content
Message 3 of 6

Re: Correct exclusions

Ajay,

Attached is the most recent log showing deletions on 11/16/20.  My particular workstation (which we use often for live testing) is RISK0028 and had the exclusions pushed to it on 11/13/20.

This is occurring with OAS and ODS.

I'm looking through our low-risk and high-risk process policies and see that there are no exclusions in either policy, and the high-risk section has cmd.exe as a high risk process.  The command to access this particular file we're trying to exclude may not necessarily be running during an ODS, but would definitely be running during an OAS, where cmd calls MSIEXEC that then runs these paths.

 

The OAS policy is a copy of the McAfee Default with exclusions placed in and was probably created years ago, before I started with the organization.

 

rbecker
Level 9
Report Inappropriate Content
Message 4 of 6

Re: Correct exclusions

@AjaySundar 

Are there any updates to this?  These deletions are literally killing our entire deployment of a product across the organization and we can't move forward without any subsequent analysis and support.

 

Thanks.

rbecker
Level 9
Report Inappropriate Content
Message 5 of 6

Re: Correct exclusions

@AjaySundar  are there any updates to this ticket?

 

Thanks.

AjaySundar
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Correct exclusions

Hi @rbecker,

Good day to you!

Apologies for the delay in response.

>> I am trying to get our ePO administrator to add the entire path shown above as an exclusion, but why didn't the other exclusions of c:\**\File_nsDriver32Sys not work

Can you try to perform the below steps and share your feedback, this would help us to confirm if the exclusions are actually working.

1. Add the following exclusion under the On access scanner C:\**\eicar.com

2. Download the file from the below website

https://www.eicar.org/?page_id=3950eicar.com

3. If the exclusions are working as expected the eicar.com should not be removed

If the sys file is unzipped and written the the disk, the exclusion should work as expected. But if the file is loaded into the memory I do not think the exclusion might be applied in that case.

Additionally, based on the detection it could be a fasle detection, so we would recommend you to submit the file as a sample with us to whitelist it, if the file is clean as per our enalysis.

The steps to submit the file are available in the below article.

https://kc.mcafee.com/corporate/index?page=content&id=KB85567

Once the SR is created please share the service request number, so I can have it checked.

Regards,

AJ

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community