cancel
Showing results for 
Search instead for 
Did you mean: 
dEcSup
Level 7
Report Inappropriate Content
Message 21 of 49

RE: Easy exclusion entry solution?

Thanks for the GREAT WORK jawut:)



Tried the above too and working fine. Created template as below:

<Setting name="ExcludedItem_" value="3|3|"/>
<Setting name="ExcludedItem_" value="3|3|"/>
<Setting name="ExcludedItem_" value="3|3|"/>
<Setting name="ExcludedItem_" value="3|3|"/>

Thanks. You are the man! happy

RE: Easy exclusion entry solution?

I can't get this to work (EPO 4 and VSE 8.7i). Every time I export the policy and make any changes in the appropriate section, then import it back, the changes are NOT reflected.

I did the online chat thing today with their TS and was told this isn't a "supported" option by McAfee. The Import/Export is supposedly only for backup and migration purposes.

As I need to bulk add 20+ Exclusions....anyone here have an idea why it's not working for me?
:confused:

Re: My Complete list of Virus Scan Exclusions as per 05/09

Hi,

Very useful thread especially as its new territory for me.

Two questions I still have are:

#1 Should the windows server exclusions be applied for Default, Low and High-risk processes policies or just Default ?

#2  For server-role specific exclusions ie WINS, SQL, Domain Controllers etc. are these in addition to the general server exclusions: http://support.microsoft.com/kb/822158

or just apply the role specific exclusions only ?

Thanks

Re: Virus Scan Policy Best Practices

McAfee - here's my vision make it happen!

LOCATION

  • Ideally in EPO but a website will work for now

USER INPUT

  • Selects from a drop down listing of OS's, Applications listed by version, build, patch level etc...
  • PUSHES GO BUTTON

OUTPUT

  • Automated Antivirus Exclusion Report(s) with technical references, legal disclaimers, etc...

RESULTS

HAPPY CUSTOMERS!

Royality Fees - Yes, I have lots of ideas for your products and I do accept $$$$$

robpow
Level 10
Report Inappropriate Content
Message 25 of 49

Re: Virus Scan Policy Best Practices

I find that excluding by process instead of by folder (or drive letter as in the case with MSCS) is more efficient for my purposes. This way I can specify the two or three processes that are responsible for the file I/O (e.g. sqlservr.exe, store.exe, etc) and not have to worry about where the application is writing its files to.

For me the biggest issue with exclusion policy management is that policies aren't cumulative, you can't for instance exclude a set of processes on a global level and then add a couple of additional process exclusions for a specific set of servers. Instead you have to duplicate the global policy and add the extra processes and in doing so you lose the connection to the global exclusions so you now have to remember to edit all local policies whenever the global policy changes.

Finally, I also find that software vendors invariable specify exclusions too generously. If we excluded everyting Microsoft, Symantec, BMC, Altiris etc documented there wouldn't be many folders left being scanned any longer.


Getting the right exclusions unfortunately is not as simple as just bunging in a number of documented defaults, it requires skill and understanding of your environment and especially your acceptable risks levels and these will be different from installation to installation or even vary within an organisation depending on exposure of the systems.

What we need is a 'Zen and the Art of VirusScan Exclusions'   

Cheers,

Matt

on 11/9/09 3:08 AM
sgrimmel
Level 11
Report Inappropriate Content
Message 26 of 49

Re: Virus Scan Policy Best Practices

While nothing can be complete to document all possible exclusions or absence thereof, KnowledgeBase Master article KB66909 should help and clarify a number of scenarios.

Please note that McAfee is very keen to keep exclusions to a minimum as every exclusion is a potential safety issue. McAfee for instance also does not underwrite the general wide exclusions Microsoft advises to set for AV products and has its own recommendations which include the advice generally not to set directory exclusions.

HTH

Highlighted

Re: Virus Scan Policy Best Practices

I just wanted to confirm something on this thread before I finalize my exclusions document.

Example taken from the following Microsoft KB  http://support.microsoft.com/?id=320111

Which looks like below.

  • Drive:\Program Files\SharePoint Portal Server
  • Drive:\Program Files\Common Files\Microsoft Shared\Web Storage System

Written in McAfee "exception language" could like this, correct?

  • **\Program Files\SharePoint Portal Server\
  • **\Program Files\Common Files\Microsoft Shared\Web Storage System\
  • C:\%Program Files%\Common Files\Microsoft Shared\Web Storage System\
  • or even
  • **\*\Common Files\Microsoft Shared\Web Storage System\

Other possible examples:

**\%PROGRAMFILES(X86)%\SharePoint Portal Server\ - If running a 64 BIT system (just an example, didn't verify actual file locations)

**\*\SharePoint Portal Server\ - Not a good idea since it seems rather general but still valid, correct?

What about system variables?

What's the best practice for excluding locations such as the %APPDATA%?

Sometimes it's located here, but the user name always changes C:\Documents and Settings\{username}\Application Data.

How should this be written?

Like one of these maybe?

  • C:\Documents and Settings\%username%\Application Data\
  • C:\Documents and Settings\*\Application Data\
  • **\Documents and Settings\*\Application Data\

I would prefer to use variables as much as possibile, since it seems to cover much broader situations.

Message was edited by: Robert Rathbun on 11/12/09 2:33 PM

Message was edited by: Robert Rathbun on 11/12/09 2:37 PM

Re: Virus Scan Policy Best Practices

Still didn't get a reply to my previous question....

Re: Virus Scan Policy Best Practices

**\Documents and Settings\*\Application Data\

i will use this . cause it will exclude every aplication data inside documents and settings in all locations.

tonyb99
Level 13
Report Inappropriate Content
Message 30 of 49

Re: Virus Scan Policy Best Practices

Thats a really bad idea........

a lot of malware drops to the local user profile in the *\local settings\application data\     various files and subfolders

you're just going to ignore all this?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community