cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

File names excluded from On-Demand scanning still get scanned when inside zip file.

Jump to solution

Hi all,

does anyone else encounter the following problem ?

I would like to put an exclusion on a specific file name, to avoid it being scanned during on-demand scans. However, the exclusion seems to be ignored if the excluded filename is located within a zip file.

I tested the following :

- logged on a machine

- created a dummy infected file C:\temp\infected.txt , containing the Eicar string (it actually also works with any real infection)

- zippped the file into "archive.zip"

- click Start > Programs > McAfee > On-Demand Scan

"Scan Locations" tab : c:\temp\

"Scan Items" tab : checked "Scan inside archives (e.g. .ZIP)"

"Exclusions" tab : Exclusion by name : added "infected.txt"

"Reports tab" : Checked "Session settings"

- clicked "Start" to run the scan task

VirusScan would then report an infected file named "infected.txt", located in "archive.zip" (although "infected.txt" is supposed to be excluded from scanning).

If I review the log file ( %VSEDEFLOGDIR%\OnDemandScanLog.txt ), I can see that the exclusion on files named "infected.txt" was taken into account for this scan task, but that the file has still been reported as infected.

Is this the normal behaviour of exclusions in VSE 8.7 ?  Or did I miss something ?

Thanks in advance,

Michael

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 11

Re: File names excluded from On-Demand scanning still get scanned when inside zip file.

Jump to solution

Do you know whether the exclusion syntax allows to specify filenames exclusions within an archive ?

I tried using the syntax "test.zip\me.exe" and "*.zip\me.exe" , but it does not work.

As far as I know the pattern matching exclusion code does not cater to this (good enhancement request, though I'm sure it'll make archive scanning slower than it already is).

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

View solution in original post

10 Replies
Highlighted
Level 11
Report Inappropriate Content
Message 2 of 11

Re: File names excluded from On-Demand scanning still get scanned when inside zip file.

Jump to solution

I too have just noticed this issue in another situation.

Using VSE 8.8, adding an exclusion to the On-Access Scanner works, but for On Demand scans, exclusions are not working for the memory scan.

Example:

Safe.File.misdetected.as.a.virus.exe

Exclusions were added by file name and path both in the On Demand and On Access scanners.

Starting the program, "Safe.File.misdetected.as.a.virus.exe" works fine and the On Access scanner allows it to run.

Safe.File.misdetected.as.a.virus.exe is running in memory.

On Demand scan takes place and detects the program in memory and deletes "Safe.File.misdetected.as.a.virus.exe" without honoring the exclusion.

Message was edited by: Mark (secured2k) (Quarantine manager took time to update list). on 2/4/11 5:25:44 PM EST
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 11

Re: File names excluded from On-Demand scanning still get scanned when inside zip file.

Jump to solution

On Demand scan takes place and detects the program in memory and deletes "Safe.File.misdetected.as.a.virus.exe" without honoring the exclusion.


This is also expected behavior.

Exclusions do not apply to memory scans.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
Highlighted
Level 11
Report Inappropriate Content
Message 4 of 11

Re: File names excluded from On-Demand scanning still get scanned when inside zip file.

Jump to solution

While this may an expected behavior; I must ask why when the admin is explicitly trying to stop a detection issue.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 11

Re: File names excluded from On-Demand scanning still get scanned when inside zip file.

Jump to solution

While this may an expected behavior; I must ask why when the admin is explicitly trying to stop a detection issue.


Sorry. Definitely room there for feature enhancements.

Only options that come to mind are -

- not doing memory scans until the detection issue is solved.

- using a DAT that doesn't have the detection

- rolling out a negative extra.dat to negate the "driver" from the DAT that's detecting it

The latter option will require contacting McAfee Support and providing a sample of the file.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
Highlighted
Level 11
Report Inappropriate Content
Message 6 of 11

Re: File names excluded from On-Demand scanning still get scanned when inside zip file.

Jump to solution

Thanks William,

I know about the work around options but this specific issue came as a surprise after programs were disappearing. I thought I could just stop the detection on my own rather than wait for the extra DAT or updated DAT.

I would like to know if you could forward a request for future enhancement to the Dev team, 'cause that would be great!

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 11

Re: File names excluded from On-Demand scanning still get scanned when inside zip file.

Jump to solution

Hi Mark,

I know this particular request is actually already in our system.

Having your voice express the same desire will be beneficial to its cause -

https://secure.mcafee.com/apps/downloads/products/products-enhancement-request.aspx?region=us

Cheers

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 11

Re: File names excluded from On-Demand scanning still get scanned when inside zip file.

Jump to solution
Is this the normal behaviour of exclusions in VSE 8.7 ?  Or did I miss something ?

It's normal behavior.

The exclusion doesn't match what is being scanned, because the object being scanned is actually "[archiveName]\filename", not just "filename"

e.g. if test.zip contains me.exe, the archive scan will see the file object as test.zip\me.exe, not me.exe.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
Highlighted

Re: File names excluded from On-Demand scanning still get scanned when inside zip file.

Jump to solution

wwarren wrote:

Is this the normal behaviour of exclusions in VSE 8.7 ?  Or did I miss something ?

It's normal behavior.

The exclusion doesn't match what is being scanned, because the object being scanned is actually "[archiveName]\filename", not just "filename"

e.g. if test.zip contains me.exe, the archive scan will see the file object as test.zip\me.exe, not me.exe.

Thanks William.

Do you know whether the exclusion syntax allows to specify filenames exclusions within an archive ?

I tried using the syntax "test.zip\me.exe" and "*.zip\me.exe" , but it does not work.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 11

Re: File names excluded from On-Demand scanning still get scanned when inside zip file.

Jump to solution

Do you know whether the exclusion syntax allows to specify filenames exclusions within an archive ?

I tried using the syntax "test.zip\me.exe" and "*.zip\me.exe" , but it does not work.

As far as I know the pattern matching exclusion code does not cater to this (good enhancement request, though I'm sure it'll make archive scanning slower than it already is).

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community