Hello all - We are migrating from a VMWare based environment to Hyper-V, and thus we have a decent amount of exclusions to pay attention to (as seen here). In any case, I'm finding that I'm a little confused about where the exlusions need to go. It looks like in the past, via ePO, I've always managed exclusions through a default OAS policy, so I thought I should possibly make a default OAS policy for these hosts, but then while I'm reading about it, I see a lot about using high and low risk policies and so the whole thing is getting a bit more complicated and all I really want to do is get the exclusions in. Could anyone shed any light on this for me?
Solved! Go to Solution.
Low and high risk process can be enabled to ensure different scanning setting for processes vs. simple file scanning. For example (process taken from your link):
If you set Vmms.exe under default exclusions then you are merely excluding the file "Vmms.exe" and not the process.
If you however set Vmms.exe as a low risk process then you are saying, you trust this process and you want it to be scanned less. You can take this a step further and disable scanning entirely for low risk processes (or just for read or write actions).
A high risk process on the other hand would be a process you deem as potentially dangerous and that you'd like the scanner to pay particular attention to. Processes listed here are scanned more in depth than regular or low risk processes.
For more detailed information and a fancy video I would defer to this KB article: https://kc.mcafee.com/corporate/index?page=content&id=KB55139
Low and high risk process can be enabled to ensure different scanning setting for processes vs. simple file scanning. For example (process taken from your link):
If you set Vmms.exe under default exclusions then you are merely excluding the file "Vmms.exe" and not the process.
If you however set Vmms.exe as a low risk process then you are saying, you trust this process and you want it to be scanned less. You can take this a step further and disable scanning entirely for low risk processes (or just for read or write actions).
A high risk process on the other hand would be a process you deem as potentially dangerous and that you'd like the scanner to pay particular attention to. Processes listed here are scanned more in depth than regular or low risk processes.
For more detailed information and a fancy video I would defer to this KB article: https://kc.mcafee.com/corporate/index?page=content&id=KB55139
You would need to clarify with the vendor if they mean the process or just the file needs to be excluded. Generally speaking though, the process needs to be excluded. In most cases this means the process needs to be defined as a low risk process and scanning disabled (or limited to scan on read for example).
To narrow the exclusion down, you can set the following (taking this again from the document you shared):
1. Set "vmms,exe" as a low risk process
2. Within the low risk process policy also set a path exclusion for "**\System32\"
What this will do is only exclude vmms.exe from that directory. This leaves less of a security gap in your environment.
Thank you very much for your assistance on this.
So if I am understanding you right, you put only the process name under the low risk processes, and by putting "**\System32\" under the exclusions, it only applies the Low Risk Process entry to what is under System32. A few more questions...
Again, thank you for your assistance - I'm making a lot of progress in my understanding. A couple more clarifications:
Glad it's helping 🙂
1. Up to you. You can either exclude the file type itself or you can create a specific file path exclusion i.e. C:\Test\**.vhd >> this would only exclude .vhd files within that folder
2. System Environmental Variables such as %SystemRoot% can be used in exclusions. User Environmental Variables such as %UserProfile% cannot be used, because the on‑access scanner runs under the Windows Local System account.
Hi guys,
Just found this thread interesting.
Would I be right in saying then, that if the VSE OAS Low-Risk Processes policy has When writing to disk, When reading from disk, On network drives and Opened for backup unticked, that this would give the processes on the Low-Risk Processes tab free rein over all directories and files on the drive?
Thanks in advance!
Nick
@Nick_B It would only give the low risk processes free rein over any activity if you didn't have any path exclusions defined. If you have path exclusions defined within the low risk processes policy then the listed low risk processes would only be excluded from scanning if executed in those directories.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA