cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Exclusions by file type with VSE and Threat Prevention

Jump to solution

Hi All,

A really stupid question but just want to clarify it, when adding exclusions on EPO there are different ways of adding specific files. What is the best process for adding specific files to EPO for VSE and Threat Prevention?

 

Example 1 : just add the file name as an exclusion batchfile.exe

Example 2 : **\batchfile.exe

Example 3 : C:\folder1\batchfile.exe

 

I presume all are acceptable ways of doing it, or does one option cause performance issues using either VSE or Threat Prevention?

Regards

Labels (1)
2 Solutions

Accepted Solutions
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: Exclusions by file type with VSE and Threat Prevention

Jump to solution

I don't know if you are aware of this KB - but just to make note of it here. Here is the article which speaks about using wildcards within your OAS exclusions: https://kc.mcafee.com/corporate/index?page=content&id=KB54812

And also this one - understanding high/ low risk process configuration, is very useful:
https://kc.mcafee.com/corporate/index?page=content&id=KB55139


Processes should be defined as low or high risk processes depending on if you are excluding them or if you are wanting them to be scanned more frequently.
By adding a .exe file to the default exclusion list, you would merely be excluding the file from scanning - not the actual process.

System Environmental Variables such as %SystemRoot% can be used in exclusions.
User Environmental Variables such as %UserProfile% cannot be used, because the on‑access scanner runs under the Windows Local System account.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
McAfee Employee akatt
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Exclusions by file type with VSE and Threat Prevention

Jump to solution

Depending on how the exclusion is added, there are differences in how the exclusions are handled.

For example, entering an exclusion as a file-type exclusion, using the file-type option, allows the Anti-virus filter driver in the kernel to ignore the file-type, so McShield in user-mode never gets asked to check/scan the file.

If we enter the same type of exclusion as a file/folder exclusion, let's say by entering *.txt as the file/folder exclusion, then the files are still passed to McShield in user-mode, which then checks its exclusion list, and then determines that the files should be excluded.

In this scenario, if we are sure that we never want to scan a specific file-type, it is best to enter the exclusion as a file-type exclusion.

This same behavior (with the filter driver not asking McShield to check the files), occurs when using the low-risk processes policy to define a process as low-risk, and when also unchecking the scan on read/write options.  The filter driver is "intelligent" enough in these scenarios, to ignore the requests, so that McShield doesn't have to do the check.

In terms of the syntax there are differences in how much effort McShield has to endure, in order to properly honor the different methods of entering a file/folder exclusion, with the wild-card usage incurring the most impact.  That being said, the opertaions as so quick that they shouldn't be noticeable from a user perspective.  In terms of work incurred, from highest to lowest, it would be:

**\example.txt
C:\<path>\example.txt
example.txt 

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

 

4 Replies

Re: Exclusions by file type with VSE and Threat Prevention

Jump to solution
Also will EPO accept exclusions with percentage symbols in them?
Example %alluserprofiles%\programdata\
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: Exclusions by file type with VSE and Threat Prevention

Jump to solution

I don't know if you are aware of this KB - but just to make note of it here. Here is the article which speaks about using wildcards within your OAS exclusions: https://kc.mcafee.com/corporate/index?page=content&id=KB54812

And also this one - understanding high/ low risk process configuration, is very useful:
https://kc.mcafee.com/corporate/index?page=content&id=KB55139


Processes should be defined as low or high risk processes depending on if you are excluding them or if you are wanting them to be scanned more frequently.
By adding a .exe file to the default exclusion list, you would merely be excluding the file from scanning - not the actual process.

System Environmental Variables such as %SystemRoot% can be used in exclusions.
User Environmental Variables such as %UserProfile% cannot be used, because the on‑access scanner runs under the Windows Local System account.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Reliable Contributor vnaidu
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: Exclusions by file type with VSE and Threat Prevention

Jump to solution

@fattonymaximus 

I would like you to follow the KB article to understand the wildcard exclusions by following the KB54812.

In addition to this, you would like to Determine which risk applies to each process using these guidelines:

Low-risk — Processes with less possibility of spreading or introducing a potential
threat. These can be processes that access many files, but in a way that has a
lower risk of spreading potential threats. For example:Backup software Compiling processes

High-risk — Processes with a greater possibility of spreading or introducing a
potential threat. For example:
Processes that launch other processes, such as Microsoft Windows Explorer or
the command prompt.
Processes that execute scripts or macros, such as WINWORD or CSCRIPT.
Processes used for downloading from the internet, such as browsers, instant
messengers, or mail clients.

Default — Any process not defined as low-risk or high-risk.

 

Cheers!!!!!!!

Venu
McAfee Employee akatt
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Exclusions by file type with VSE and Threat Prevention

Jump to solution

Depending on how the exclusion is added, there are differences in how the exclusions are handled.

For example, entering an exclusion as a file-type exclusion, using the file-type option, allows the Anti-virus filter driver in the kernel to ignore the file-type, so McShield in user-mode never gets asked to check/scan the file.

If we enter the same type of exclusion as a file/folder exclusion, let's say by entering *.txt as the file/folder exclusion, then the files are still passed to McShield in user-mode, which then checks its exclusion list, and then determines that the files should be excluded.

In this scenario, if we are sure that we never want to scan a specific file-type, it is best to enter the exclusion as a file-type exclusion.

This same behavior (with the filter driver not asking McShield to check the files), occurs when using the low-risk processes policy to define a process as low-risk, and when also unchecking the scan on read/write options.  The filter driver is "intelligent" enough in these scenarios, to ignore the requests, so that McShield doesn't have to do the check.

In terms of the syntax there are differences in how much effort McShield has to endure, in order to properly honor the different methods of entering a file/folder exclusion, with the wild-card usage incurring the most impact.  That being said, the opertaions as so quick that they shouldn't be noticeable from a user perspective.  In terms of work incurred, from highest to lowest, it would be:

**\example.txt
C:\<path>\example.txt
example.txt 

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community