cancel
Showing results for 
Search instead for 
Did you mean: 
kjhurni
Level 9
Report Inappropriate Content
Message 1 of 11

How to exclude directories in Win7 %userprofile% with VSE 8.8.x?

Jump to solution

We manage VSE 8.8.x with EPO.

We just switched our email system to O365 and are using the Outlook 2013 client.  MS has a list of files and directories we need to exclude from all AV scans.

Unfortunately they are all in the:

%userprofile% directory.

I was going to put these into the Exclusions in EPO, but I see McAfee KB

https://kc.mcafee.com/corporate/index?page=content&id=KB54812

says that you cannot use the variable:

%userprofile%

because McShield runs in system and not user space

Any idea on how to use the system variable in an exclusion then?

--Kevin

1 Solution

Accepted Solutions
wwarren
Level 15
Report Inappropriate Content
Message 2 of 11

Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?

Jump to solution

You can use pattern matching instead, i.e. via wildcard instead of variable.

e.g.

**\Users\*\Folder2Exclude\

Or

**\Documents & Settings\*\Folder2Exclude\

Throw Eicar test virus into the folder to validate the exclusion is working.

Also, consider having the exclusions made for the Low Risk profile only; and add the process that's touching this folder structure to the Low Risk profile process list.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
10 Replies
wwarren
Level 15
Report Inappropriate Content
Message 2 of 11

Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?

Jump to solution

You can use pattern matching instead, i.e. via wildcard instead of variable.

e.g.

**\Users\*\Folder2Exclude\

Or

**\Documents & Settings\*\Folder2Exclude\

Throw Eicar test virus into the folder to validate the exclusion is working.

Also, consider having the exclusions made for the Low Risk profile only; and add the process that's touching this folder structure to the Low Risk profile process list.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
kjhurni
Level 9
Report Inappropriate Content
Message 3 of 11

Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?

Jump to solution

Thanks, I thought I saw something somewhere via Google that indicated you could use:

c:\users\userprofile\something

and that McAfee would interpret "userprofile" to be the actual user profile?

Interesting that we have other software that runs as "system" in the "system" space and it has no trouble accessing the %userprofile% variables.

Unfortunately the MS technet article doesn't list their processes, only the files that need to be excluded.

http://technet.microsoft.com/en-us/library/dn769141%28v=office.15%29.aspx

I couldn't find anything on the McAfee KB that had suggestions for Outlook either.  I see things for Windows SERVERS that are running Exchange, but that's different.

yans112
Level 7
Report Inappropriate Content
Message 4 of 11

Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?

Jump to solution

Yes, Kjhurni. We also following the same.

epository
Level 10
Report Inappropriate Content
Message 5 of 11

Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?

Jump to solution

McAfee KnowledgeBase - How to manage file and folder exclusions in VirusScan Enterprise 8.x

Using wildcards can be a bit tricky, so please reference the above.

kjhurni
Level 9
Report Inappropriate Content
Message 6 of 11

Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?

Jump to solution

I must be doing something wrong.

I setup an exclusion in the Default Processes (although we use High/Low risk as well).

c:\Users\*\AppData\Roaming\Microsoft\Outlook\*.srs

I have verified that my VSE has the above exclusions

I then copied the eicar file (but it was named as: eicar.srs) to the above directory and it did scan it.

It was my understanding (perhaps incorrectly) that if you also used high/low risk processes, that anything NOT in high/low risk fell under the "default processes" set?

--Kevin

wwarren
Level 15
Report Inappropriate Content
Message 7 of 11

Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?

Jump to solution

kjhurni wrote:


...

I then copied the eicar file (but it was named as: eicar.srs) to the above directory and it did scan it.



It was my understanding (perhaps incorrectly) that if you also used high/low risk processes, that anything NOT in high/low risk fell under the "default processes" set?



--Kevin


Hi Kevin,

When you use High/Low/Default profiles, it's critical to be mindful of "What process is touching the file". Because, that is the process we will "look up" and see what profile it's in, then apply that profile's scanning configuration to the file operation.

When you say you copied the eicar file, do you mean "drag and drop" into the excluded folder? Because, EXPLORER.EXE will be the process touching the file... a high risk process, thus the action will be scanned.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
kjhurni
Level 9
Report Inappropriate Content
Message 8 of 11

Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?

Jump to solution

Thanks


wwarren wrote:




kjhurni wrote:


...

I then copied the eicar file (but it was named as: eicar.srs) to the above directory and it did scan it.



It was my understanding (perhaps incorrectly) that if you also used high/low risk processes, that anything NOT in high/low risk fell under the "default processes" set?



--Kevin



Hi Kevin,



When you use High/Low/Default profiles, it's critical to be mindful of "What process is touching the file". Because, that is the process we will "look up" and see what profile it's in, then apply that profile's scanning configuration to the file operation.


When you say you copied the eicar file, do you mean "drag and drop" into the excluded folder? Because, EXPLORER.EXE will be the process touching the file... a high risk process, thus the action will be scanned.


Thanks for that info, I forgot that explorer.exe is in the High Risk category.

Since MS doesn't list what processes actually use their own files that they say to exclude, and since McAfee has nothing documented either, how would I go about testing the wildcard exclusions as you had originally suggested?

wwarren
Level 15
Report Inappropriate Content
Message 9 of 11

Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?

Jump to solution

You could remove Explorer.exe from the High Risk profile.

Apply the change (wait ~30 seconds for the change to apply)

Do the test; e.g. Rt-Click "Properties" on the file.

--> No detection should occur, because Explorer.exe falls under your "Default" profile which has the exclusion.

Undo the change by adding Explorer.exe back to high risk.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?

Jump to solution

wwarren wrote:



You could remove Explorer.exe from the High Risk profile.


Apply the change (wait ~30 seconds for the change to apply)


Do the test; e.g. Rt-Click "Properties" on the file.


--> No detection should occur, because Explorer.exe falls under your "Default" profile which has the exclusion.



Undo the change by adding Explorer.exe back to high risk.


Thanks, that worked.  Just an FYI in case anyone else is following, we are *still* waiting for Microsoft to tell us what processes use those files for Outlook (yeah, we could use process explorer or whatever to figure it out, but since we're paying MS millions of dollars for O365, I'm going to make them do their work instead of me doing their work for them).