We are trying to exclude files related to an older ticket and are using the following exclusions to try to stop FILE_nsDriver32Sys from being deleted. It would appear that the following wildcard rules did not work:
We are trying to exclude that "FILE_nsDriver32Sys" from being scanned anywhere on the c:\ drive.
Are these exclusions written wrong or are they correct?
The "File_nsDriver32Sys" lives within a .cab file, which is within a .msi file that has a randomly generated number as its filename like this (which is why I wildcarded the name):
I am trying to get our ePO administrator to add the entire path shown above as an exclusion, but why didn't the other exclusions of c:\**\File_nsDriver32Sys not work?
Good day to you!
Could you please provide the log where the detection is recorded so we could check it further?
We would like to see the process that is detecting the file, additionally, could you also confirm if you are using a standard scan profile or a risk-based scan profile for on-access scanning?
Attached is the most recent log showing deletions on 11/16/20. My particular workstation (which we use often for live testing) is RISK0028 and had the exclusions pushed to it on 11/13/20.
This is occurring with OAS and ODS.
I'm looking through our low-risk and high-risk process policies and see that there are no exclusions in either policy, and the high-risk section has cmd.exe as a high risk process. The command to access this particular file we're trying to exclude may not necessarily be running during an ODS, but would definitely be running during an OAS, where cmd calls MSIEXEC that then runs these paths.
The OAS policy is a copy of the McAfee Default with exclusions placed in and was probably created years ago, before I started with the organization.
Are there any updates to this? These deletions are literally killing our entire deployment of a product across the organization and we can't move forward without any subsequent analysis and support.
Good day to you!
Apologies for the delay in response.
>> I am trying to get our ePO administrator to add the entire path shown above as an exclusion, but why didn't the other exclusions of c:\**\File_nsDriver32Sys not work
Can you try to perform the below steps and share your feedback, this would help us to confirm if the exclusions are actually working.
1. Add the following exclusion under the On access scanner C:\**\eicar.com
2. Download the file from the below website
3. If the exclusions are working as expected the eicar.com should not be removed
If the sys file is unzipped and written the the disk, the exclusion should work as expected. But if the file is loaded into the memory I do not think the exclusion might be applied in that case.
Additionally, based on the detection it could be a fasle detection, so we would recommend you to submit the file as a sample with us to whitelist it, if the file is clean as per our enalysis.
The steps to submit the file are available in the below article.
Once the SR is created please share the service request number, so I can have it checked.