cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jwoodmls
Level 9
Report Inappropriate Content
Message 1 of 12
‎04-16-2019 07:39 AM

Hyper-V host Exclusions

Jump to solution

Hello all - We are migrating from a VMWare based environment to Hyper-V, and thus we have a decent amount of exclusions to pay attention to (as seen here).  In any case, I'm finding that I'm a little confused about where the exlusions need to go.  It looks like in the past, via ePO, I've always managed exclusions through a default OAS policy, so I thought I should possibly make a default OAS policy for these hosts, but then while I'm reading about it, I see a lot about using high and low risk policies and so the whole thing is getting a bit more complicated and all I really want to do is get the exclusions in.  Could anyone shed any light on this for me?

 

 

0 Kudos
Reply
1 Solution

Accepted Solutions
chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 12
‎04-16-2019 07:45 AM

Re: Hyper-V host Exclusions

Jump to solution

Low and high risk process can be enabled to ensure different scanning setting for processes vs. simple file scanning. For example (process taken from your link):
If you set Vmms.exe under default exclusions then you are merely excluding the file "Vmms.exe" and not the process.

If you however set Vmms.exe as a low risk process then you are saying, you trust this process and you want it to be scanned less. You can take this a step further and disable scanning entirely for low risk processes (or just for read or write actions).

A high risk process on the other hand would be a process you deem as potentially dangerous and that you'd like the scanner to pay particular attention to. Processes listed here are scanned more in depth than regular or low risk processes.

For more detailed information and a fancy video I would defer to this KB article: https://kc.mcafee.com/corporate/index?page=content&id=KB55139

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

0 Kudos
Reply
11 Replies
chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 12
‎04-16-2019 07:45 AM

Re: Hyper-V host Exclusions

Jump to solution

Low and high risk process can be enabled to ensure different scanning setting for processes vs. simple file scanning. For example (process taken from your link):
If you set Vmms.exe under default exclusions then you are merely excluding the file "Vmms.exe" and not the process.

If you however set Vmms.exe as a low risk process then you are saying, you trust this process and you want it to be scanned less. You can take this a step further and disable scanning entirely for low risk processes (or just for read or write actions).

A high risk process on the other hand would be a process you deem as potentially dangerous and that you'd like the scanner to pay particular attention to. Processes listed here are scanned more in depth than regular or low risk processes.

For more detailed information and a fancy video I would defer to this KB article: https://kc.mcafee.com/corporate/index?page=content&id=KB55139

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

0 Kudos
Reply
jwoodmls
Level 9
Report Inappropriate Content
Message 3 of 12
‎04-16-2019 08:14 AM

Re: Hyper-V host Exclusions

Jump to solution
Okay - so various vendors have a list of AV exclusions, with this being one of them, and obviously their exclusions list are not specific to any particular vendor. But based on the link that I sent with the Microsoft recommendations, then it sounds like those processes should be excluded, not necessarily only marked as low risk correct?

But it sounds like you are saying even that should be done under "On-Access Low-Risk Processes Policies"?

What then about the directories? Should those be excluded under the default policy, or does it really matter in their case?
0 Kudos
Reply
chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 12
‎04-16-2019 08:19 AM

Re: Hyper-V host Exclusions

Jump to solution

You would need to clarify with the vendor if they mean the process or just the file needs to be excluded. Generally speaking though, the process needs to be excluded. In most cases this means the process needs to be defined as a low risk process and scanning disabled (or limited to scan on read for example).

To narrow the exclusion down, you can set the following (taking this again from the document you shared):

  • Vmms.exe (%systemroot%\System32\Vmms.exe)
    Note This file may have to be configured as a process exclusion within the antivirus software.

1. Set "vmms,exe" as a low risk process
2. Within the low risk process policy also set a path exclusion for "**\System32\"

What this will do is only exclude vmms.exe from that directory. This leaves less of a security gap in your environment.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
0 Kudos
Reply
jwoodmls
Level 9
Report Inappropriate Content
Message 5 of 12
‎04-16-2019 10:54 AM

Re: Hyper-V host Exclusions

Jump to solution

Thank you very much for your assistance on this.

So if I am understanding you right, you put only the process name under the low risk processes, and by putting "**\System32\" under the exclusions, it only applies the Low Risk Process entry to what is under System32.  A few more questions...

  1. When I enter **\System32\ it doesn't look like in this case I would include any subpaths, correct?  I believe I'm starting to understand what you are saying about the processes.  
  2. What about the section above about excluding the directories with those files types (vhd, vhdx, etc)?  Would I just need to find where those files are in my environment and exclude them in the default policy?
  3. Also, is it recommended that I create a separate low risk policy for just these hosts?  I have 3 hyper-v hosts, I want to make sure I'm setting this up the best way.
0 Kudos
Reply
chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 12
‎04-17-2019 12:22 AM

Re: Hyper-V host Exclusions

Jump to solution
So if I am understanding you right, you put only the process name under the low risk processes, and by putting "**\System32\" under the exclusions, it only applies the Low Risk Process entry to what is under System32. A few more questions...

>> Yes, by putting "**\System32\" under the path exclusions within the low risk process policy will restrict the exclusion/ the definition of the processes listed to those specific paths.

To your other questions:
1. You can select to incl. subpaths when you enter the exclusion within the policy or otherwise you can you **\System32\**
2. Regular directory exclusions and file type exclusions would be added in the default processes policy
3. Yes, it is best practice to create specific policies for different server roles. This way you are limiting the amount of exclusions and therefore potential security gaps you have in your environment. Apply the practice of least privileges > only apply what's needed
Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
0 Kudos
Reply
jwoodmls
Level 9
Report Inappropriate Content
Message 7 of 12
‎04-17-2019 06:55 AM

Re: Hyper-V host Exclusions

Jump to solution

Again, thank you for your assistance - I'm making a lot of progress in my understanding.  A couple more clarifications:

 

  1. On on those file type listings, it mentions all directories that contain them (for example for vhd, vhdx, avhd) ...but I may not know what those directories are, so do I just exclude those file types in my default OA policy?
  2. Does ePO recognize system variables, such as %ProgramData% which is listed in the exclusions document, or do I need to put in the literal path?
0 Kudos
Reply
chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 12
‎04-17-2019 07:04 AM

Re: Hyper-V host Exclusions

Jump to solution

Glad it's helping 🙂

1.  Up to you. You can either exclude the file type itself or you can create a specific file path exclusion i.e. C:\Test\**.vhd >> this would only exclude .vhd files within that folder

2. System Environmental Variables such as %SystemRoot% can be used in exclusions. User Environmental Variables such as %UserProfile% cannot be used, because the on‑access scanner runs under the Windows Local System account.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
0 Kudos
Reply
Nick_B
Level 11
Report Inappropriate Content
Message 9 of 12
‎04-29-2019 04:26 AM

Re: Hyper-V host Exclusions

Jump to solution

Hi guys,

Just found this thread interesting.

Would I be right in saying then, that if the VSE OAS Low-Risk Processes policy has When writing to disk, When reading from disk, On network drives and Opened for backup unticked, that this would give the processes on the Low-Risk Processes tab free rein over all directories and files on the drive?

Thanks in advance!

Nick 

0 Kudos
Reply
chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 12
‎04-29-2019 04:30 AM

Re: Hyper-V host Exclusions

Jump to solution

@Nick_B It would only give the low risk processes free rein over any activity if you didn't have any path exclusions defined. If you have path exclusions defined within the low risk processes policy then the listed low risk processes would only be excluded from scanning if executed in those directories.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC