cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Hyper-V host Exclusions

Jump to solution

Hello all - We are migrating from a VMWare based environment to Hyper-V, and thus we have a decent amount of exclusions to pay attention to (as seen here).  In any case, I'm finding that I'm a little confused about where the exlusions need to go.  It looks like in the past, via ePO, I've always managed exclusions through a default OAS policy, so I thought I should possibly make a default OAS policy for these hosts, but then while I'm reading about it, I see a lot about using high and low risk policies and so the whole thing is getting a bit more complicated and all I really want to do is get the exclusions in.  Could anyone shed any light on this for me?

 

 

1 Solution

Accepted Solutions
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 2 of 12

Re: Hyper-V host Exclusions

Jump to solution

Low and high risk process can be enabled to ensure different scanning setting for processes vs. simple file scanning. For example (process taken from your link):
If you set Vmms.exe under default exclusions then you are merely excluding the file "Vmms.exe" and not the process.

If you however set Vmms.exe as a low risk process then you are saying, you trust this process and you want it to be scanned less. You can take this a step further and disable scanning entirely for low risk processes (or just for read or write actions).

A high risk process on the other hand would be a process you deem as potentially dangerous and that you'd like the scanner to pay particular attention to. Processes listed here are scanned more in depth than regular or low risk processes.

For more detailed information and a fancy video I would defer to this KB article: https://kc.mcafee.com/corporate/index?page=content&id=KB55139

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
11 Replies
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 2 of 12

Re: Hyper-V host Exclusions

Jump to solution

Low and high risk process can be enabled to ensure different scanning setting for processes vs. simple file scanning. For example (process taken from your link):
If you set Vmms.exe under default exclusions then you are merely excluding the file "Vmms.exe" and not the process.

If you however set Vmms.exe as a low risk process then you are saying, you trust this process and you want it to be scanned less. You can take this a step further and disable scanning entirely for low risk processes (or just for read or write actions).

A high risk process on the other hand would be a process you deem as potentially dangerous and that you'd like the scanner to pay particular attention to. Processes listed here are scanned more in depth than regular or low risk processes.

For more detailed information and a fancy video I would defer to this KB article: https://kc.mcafee.com/corporate/index?page=content&id=KB55139

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: Hyper-V host Exclusions

Jump to solution
Okay - so various vendors have a list of AV exclusions, with this being one of them, and obviously their exclusions list are not specific to any particular vendor. But based on the link that I sent with the Microsoft recommendations, then it sounds like those processes should be excluded, not necessarily only marked as low risk correct?

But it sounds like you are saying even that should be done under "On-Access Low-Risk Processes Policies"?

What then about the directories? Should those be excluded under the default policy, or does it really matter in their case?
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 4 of 12

Re: Hyper-V host Exclusions

Jump to solution

You would need to clarify with the vendor if they mean the process or just the file needs to be excluded. Generally speaking though, the process needs to be excluded. In most cases this means the process needs to be defined as a low risk process and scanning disabled (or limited to scan on read for example).

To narrow the exclusion down, you can set the following (taking this again from the document you shared):

  • Vmms.exe (%systemroot%\System32\Vmms.exe)
    Note This file may have to be configured as a process exclusion within the antivirus software.

1. Set "vmms,exe" as a low risk process
2. Within the low risk process policy also set a path exclusion for "**\System32\"

What this will do is only exclude vmms.exe from that directory. This leaves less of a security gap in your environment.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: Hyper-V host Exclusions

Jump to solution

Thank you very much for your assistance on this.

So if I am understanding you right, you put only the process name under the low risk processes, and by putting "**\System32\" under the exclusions, it only applies the Low Risk Process entry to what is under System32.  A few more questions...

  1. When I enter **\System32\ it doesn't look like in this case I would include any subpaths, correct?  I believe I'm starting to understand what you are saying about the processes.  
  2. What about the section above about excluding the directories with those files types (vhd, vhdx, etc)?  Would I just need to find where those files are in my environment and exclude them in the default policy?
  3. Also, is it recommended that I create a separate low risk policy for just these hosts?  I have 3 hyper-v hosts, I want to make sure I'm setting this up the best way.
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 6 of 12

Re: Hyper-V host Exclusions

Jump to solution
So if I am understanding you right, you put only the process name under the low risk processes, and by putting "**\System32\" under the exclusions, it only applies the Low Risk Process entry to what is under System32. A few more questions...

>> Yes, by putting "**\System32\" under the path exclusions within the low risk process policy will restrict the exclusion/ the definition of the processes listed to those specific paths.

To your other questions:
1. You can select to incl. subpaths when you enter the exclusion within the policy or otherwise you can you **\System32\**
2. Regular directory exclusions and file type exclusions would be added in the default processes policy
3. Yes, it is best practice to create specific policies for different server roles. This way you are limiting the amount of exclusions and therefore potential security gaps you have in your environment. Apply the practice of least privileges > only apply what's needed
Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: Hyper-V host Exclusions

Jump to solution

Again, thank you for your assistance - I'm making a lot of progress in my understanding.  A couple more clarifications:

 

  1. On on those file type listings, it mentions all directories that contain them (for example for vhd, vhdx, avhd) ...but I may not know what those directories are, so do I just exclude those file types in my default OA policy?
  2. Does ePO recognize system variables, such as %ProgramData% which is listed in the exclusions document, or do I need to put in the literal path?
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 8 of 12

Re: Hyper-V host Exclusions

Jump to solution

Glad it's helping 🙂

1.  Up to you. You can either exclude the file type itself or you can create a specific file path exclusion i.e. C:\Test\**.vhd >> this would only exclude .vhd files within that folder

2. System Environmental Variables such as %SystemRoot% can be used in exclusions. User Environmental Variables such as %UserProfile% cannot be used, because the on‑access scanner runs under the Windows Local System account.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Nick_B
Level 10
Report Inappropriate Content
Message 9 of 12

Re: Hyper-V host Exclusions

Jump to solution

Hi guys,

Just found this thread interesting.

Would I be right in saying then, that if the VSE OAS Low-Risk Processes policy has When writing to disk, When reading from disk, On network drives and Opened for backup unticked, that this would give the processes on the Low-Risk Processes tab free rein over all directories and files on the drive?

Thanks in advance!

Nick 

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 10 of 12

Re: Hyper-V host Exclusions

Jump to solution

@Nick_B It would only give the low risk processes free rein over any activity if you didn't have any path exclusions defined. If you have path exclusions defined within the low risk processes policy then the listed low risk processes would only be excluded from scanning if executed in those directories.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator