cancel
Showing results for 
Search instead for 
Did you mean: 

VSE On Access Scanner Default + Additional File Types

Jump to solution

Hi,

when using this scanning method:

image.png

 

by default these file types are scanned:


??_
{??
00?
386
3GR
ACE
ACM
ADE
ADP
ADT
AP?
ARC
ARJ
ASA
ASD
ASP
AU3
AX?
B64
BA?
BIN
BMP
BO?
BZ?
CAB
CC?
CDR
CDX
CEO
CGI
CHM
CLA
CMD
CNV
CO?
COM
CPL
CPT
CPY
CRT
CSC
CSS
CSV
D?B
DAT
DEV
DIF
DL?
DO?
DOC
DOT
DQY
DRV
EE?
EFV
EML
EX?
EXE
FDF
FE?
FMT
FO?
FPH
FPW
GF?
GIM
GIX
GMS
GNA
GW?
GWI
GZ?
HDI
HHT
HLP
HAT?
HWD
ICE
ICS
IM?
IN?
ION
IQY
ISP
IST
JAR
JP?
JS?
LGP
LIB
LNK
LSP
LUA
LWP
LZH
M3U
MB0
MB1
MB2
MBR
MD?
MHT
MOD
MPD
MPP
MPT
MRC
MS?
MSG
MSO
NAP
NEW
NWS
OB?
OC?
OD?
OL?
OLE
OTM
OUT
OV?
PCD
PCI
PD?
PDF
PF?
PHP
PI?
PL?
PNG
POT
PP?
PPZ
PRC
PWZ
QLB
QPW
QQY
QTC
RAR
REG
RMF
RPM
RQY
RTF
SCR
SCT
SH?
SIS
SKV
SLK
SMM
SPL
SRF
SWF
SX?
SYS
TAR
TAZ
TBZ
TD0
TFT
TGZ
TLB
TSP
UNP
URL
UUU
VB?
VBS
VS?
VVV
VWP
VXD
WBK
WIZ
WMF
WMP
WMV
WP?
WRI
WRL
WRZ
WS?
X32
XL?
XML
XRF
XLS
XTP
XX?
Z0M
ZI?
ZIP
ZL?
ZZZ

As far as I know "?" is a placeholder for ONE character. 

 

So my question is: Are files with more than 3 characters. E.g.: xlsx, docx scanned as well? Or do I need to maintain the additions manually?

 

Kind regards

LS

 

 

1 Solution

Accepted Solutions
McAfee Employee johma
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: VSE On Access Scanner Default + Additional File Types

Jump to solution

HI LS31855 Report, 

q: Are files with more than 3 characters. E.g.: xlsx, docx scanned as well?

Yes, only the first 3 characters are parsed, the rest are irrelevent and the files if a match is made will be scanned accordingly. 

However, I would be very weary of using "Default FIles"  policy now as it will let some threat's though. For example, if I send you a HTML doc that includes an HTML infection vector, then most likely this will be caught ( for the sake of argument here ). 

If I sent you an HTML document, with a malicious embedded Java component, this would get through and most likely infect your system where "Default FIles" is selected.

We have only recommended the use of "all files" scanning since 2006 as malware has also evolved over this time. the difference being that "all files" scans "all files" against "all threat types.

the only caveat against this is where you specify additional types, then these additions are scanned as if "all files" was selected and only relative to the extension attacks are scanned for all the others. 

As hardware has advanced in the past 10+ years then there is no so much need to used these settings where paerfomance was an issue.  If performance is an issue then there are other more safe ways to work with High and Low Risk Processes. 

If you are happy with the additional risk, then carry on but I could not recommend this configuration. 

 




Was my reply helpful?


If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
1 Reply
McAfee Employee johma
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: VSE On Access Scanner Default + Additional File Types

Jump to solution

HI LS31855 Report, 

q: Are files with more than 3 characters. E.g.: xlsx, docx scanned as well?

Yes, only the first 3 characters are parsed, the rest are irrelevent and the files if a match is made will be scanned accordingly. 

However, I would be very weary of using "Default FIles"  policy now as it will let some threat's though. For example, if I send you a HTML doc that includes an HTML infection vector, then most likely this will be caught ( for the sake of argument here ). 

If I sent you an HTML document, with a malicious embedded Java component, this would get through and most likely infect your system where "Default FIles" is selected.

We have only recommended the use of "all files" scanning since 2006 as malware has also evolved over this time. the difference being that "all files" scans "all files" against "all threat types.

the only caveat against this is where you specify additional types, then these additions are scanned as if "all files" was selected and only relative to the extension attacks are scanned for all the others. 

As hardware has advanced in the past 10+ years then there is no so much need to used these settings where paerfomance was an issue.  If performance is an issue then there are other more safe ways to work with High and Low Risk Processes. 

If you are happy with the additional risk, then carry on but I could not recommend this configuration. 

 




Was my reply helpful?


If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator