cancel
Showing results for 
Search instead for 
Did you mean: 

Excluding directories OnAccess scan (Me vs The Anti-Virus Team)

Hi,

I've ended up in a fight with the Anti-Virus team where I am claiming that they have not configured the exclusion correctly.

Can someone tell me whether I am in the wrong and that I should appologies or whether I am in fact correct.

The anti-Virus team has configured all folder exclusions for  VirusScan Enterprise + AntiSpyware Enterprise 8.7.0i like follows:

DHCP (also exclude subfolders)

DNS (also exclude subfolders)

Enterprise Vault (also exclude subfolders)

Exchange Server (also exclude subfolders)

IIS Temporary Compressed Files (also exclude subfolders)

inetpub (also exclude subfolders)

Microsoft.NET (also exclude subfolders)

Microsoft Office Servers (also exclude subfolders)

Oracle (also exclude subfolders)

VERITAS (also exclude subfolders)

...

e.g:

Exclusion.PNG

My (perhaps incorrect) understanding is that this will not match anything and that you would either need to use

*Oracle

or

**Oracle

for it to actually exclude a folder named "Oracle"

Note I ran ProcessMonitor monitoring mcshield.exe and one of these "excluded" directories and I can see the scanner opening things inside these "excluded" directories, which seems to confirm my belief but can somone confirm this

Thanks in advance

Martin

Message was edited by: supersede on 15/09/11 8:00:37 PM

Message was edited by: supersede on 15/09/11 8:01:10 PM
2 Replies

Re: Excluding directories OnAccess scan (Me vs The Anti-Virus Team)

So it seems I need to work on my appology I think.

I found a KB saying that I should only look for ProcessMonitor events where:

Operation CONTAINS IRP_MJ_READ

See https://kc.mcafee.com/corporate/index?page=content&id=KB50981

But, what is McShield.exe doing during the following operations (which are the ones I see in ProcessMonitor)?

FASTIO_NETWORK_QUERY_OPEN

IRP_MJ_DIRECTORY_CONTROL

IRP_MJ_CREATE

IRP_MJ_CLEANUP

During the 8 minutes I was logging with ProcessMonitor McShield was doing 360,000 operations inside the "excluded" directory.

wwarren
Level 15
Report Inappropriate Content
Message 3 of 3

Re: Excluding directories OnAccess scan (Me vs The Anti-Virus Team)

For McShield to exclude a file from scanning, it must still access the file to obtain some information about it.

In other words, you'll still see File I/O from McShield touching all your excluded files - but it won't be scanning them.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee