I've ended up in a fight with the Anti-Virus team where I am claiming that they have not configured the exclusion correctly.
Can someone tell me whether I am in the wrong and that I should appologies or whether I am in fact correct.
The anti-Virus team has configured all folder exclusions for VirusScan Enterprise + AntiSpyware Enterprise 8.7.0i like follows:
DHCP (also exclude subfolders)
DNS (also exclude subfolders)
Enterprise Vault (also exclude subfolders)
Exchange Server (also exclude subfolders)
IIS Temporary Compressed Files (also exclude subfolders)
inetpub (also exclude subfolders)
Microsoft.NET (also exclude subfolders)
Microsoft Office Servers (also exclude subfolders)
Oracle (also exclude subfolders)
VERITAS (also exclude subfolders)
My (perhaps incorrect) understanding is that this will not match anything and that you would either need to use
for it to actually exclude a folder named "Oracle"
Note I ran ProcessMonitor monitoring mcshield.exe and one of these "excluded" directories and I can see the scanner opening things inside these "excluded" directories, which seems to confirm my belief but can somone confirm this
Thanks in advance
Message was edited by: supersede on 15/09/11 8:00:37 PMMessage was edited by: supersede on 15/09/11 8:01:10 PM
So it seems I need to work on my appology I think.
I found a KB saying that I should only look for ProcessMonitor events where:
Operation CONTAINS IRP_MJ_READ
But, what is McShield.exe doing during the following operations (which are the ones I see in ProcessMonitor)?
During the 8 minutes I was logging with ProcessMonitor McShield was doing 360,000 operations inside the "excluded" directory.
For McShield to exclude a file from scanning, it must still access the file to obtain some information about it.
In other words, you'll still see File I/O from McShield touching all your excluded files - but it won't be scanning them.