cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Virus Scan Policy Best Practices

Im just answering the question ... the best way to exclude the directoty..

Sure.. i will not do this! Im not crazy..

Thanks

tonyb99
Level 13
Report Inappropriate Content
Message 32 of 49

Re: Virus Scan Policy Best Practices

cool

it is a geat pattern format for exclusions, just an unfortunate example for any newbie.

Re: Virus Scan Policy Best Practices

Tony,

Thanks for the advice.

I will take more caution in my posts.

Regards,

Jose Vicente

Reliable Contributor rmetzger
Reliable Contributor
Report Inappropriate Content
Message 34 of 49

Re: Virus Scan Policy Best Practices

rrathbun wrote:

I just wanted to confirm something on this thread before I finalize my exclusions document.

Example taken from the following Microsoft KB  http://support.microsoft.com/?id=320111

Which looks like below.

  • Drive:\Program Files\SharePoint Portal Server
  • Drive:\Program Files\Common Files\Microsoft Shared\Web Storage System

Written in McAfee "exception language" could like this, correct?

  • **\Program Files\SharePoint Portal Server\
  • **\Program Files\Common Files\Microsoft Shared\Web Storage System\
  • C:\%Program Files%\Common Files\Microsoft Shared\Web Storage System\
  • or even
  • **\*\Common Files\Microsoft Shared\Web Storage System\

Other possible examples:

**\%PROGRAMFILES(X86)%\SharePoint Portal Server\ - If running a 64 BIT system (just an example, didn't verify actual file locations)

**\*\SharePoint Portal Server\ - Not a good idea since it seems rather general but still valid, correct?

What about system variables?

What's the best practice for excluding locations such as the %APPDATA%?

Sometimes it's located here, but the user name always changes C:\Documents and Settings\{username}\Application Data.

How should this be written?

Like one of these maybe?

  • C:\Documents and Settings\%username%\Application Data\
  • C:\Documents and Settings\*\Application Data\
  • **\Documents and Settings\*\Application Data\

I would prefer to use variables as much as possibile, since it seems to cover much broader situations

OK, to work properly in both (Vista/2k8/W7) and in (2k3/XP/and down) I have used both exclusions as needed.

Example:

WXP/W2k3         =  **\Documents and Settings\*\Application Data\

Vista/W2k8/W7   = **\Users\*\AppData\

Having both included as Exclusions within the same exclusions set is not particularly bad as only one should prevail.

One could even try using:

%UserProfile%\..\*\Application Data\

%UserProfile%\..\*\AppData\

However, user rights above %UserProfile% (..\) may block access, so this should be tested thoroughly within your environment.

A little ingenuity will allow you to come up with the appropriate exclusions for both OS' for Common Files, Program Files, etc.

Hope this is helpful.

Ron Metzger

Message was edited by: rmetzger
Added additional comment on 11/16/09 4:19 PM
Thanks,
Ron Metzger

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Virus Scan Policy Best Practices

HI,

I think this will help you.

https://kc.mcafee.com/corporate/index?page=content&id=KB66909  VirusScan Enterprise exclusions (Master Article)

https://kc.mcafee.com/corporate/index?page=content&id=PD22663 VirusScan Enterprise Best Practices

https://kc.mcafee.com/corporate/index?page=content&id=PD22940 VirusScan Enterprise 8.8 Best Practices Guide

Regards,

José Vicente.

Message was edited by: josevicente on 5/6/11 2:23:33 PM BRT

Re: Virus Scan Policy Best Practices

Excellent set José.

I wish they could have an Exclusion files import utility, or even better, offter to set them on installation!

This list from Microsoft should be of some use to people too http://social.technet.microsoft.com/wiki/contents/articles/953.aspx

Regards,

Stephen

Highlighted

Re: Virus Scan Policy Best Practices

If I understand this correctly, exclusions for Exchange 2003 (MS KB823166) should be added in the OAS Default Process Policies?

I'm still not clear of how process should be added, but assuming just add process name "Cdb.exe" "Cidaemon.exe" etc?

And if I want to use wild card for drive letter, use duble asterisk for Directory exclusions? (McAfee KB50998)

(E.g. on ePO, there is a SQL servers group, SQL installation directory can be C or D or E, using "**\Program Files\Microsoft SQL Server" format would exclude any possible drive letters)

thanks

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 38 of 49

Re: Virus Scan Policy Best Practices

HI all,

perhaps this list helps someone. Just added recommendations from different sources into one spreadsheet.

Cheers,

Thorsten

Exlcusion    Subdirectories    Scan    Policy    Vendor    OS    Info

**\McAfee\Common Framework\AgentEvents\    Yes    Read/Write    Default / High    McAfee    Client/Server    McAfee Framework Service Events

\Device\SafeBootFSVolumes\Disk0\    Yes    Read/Write    Default / High    McAfee    Client/Server    McAFee Endpoint Encryption

%ProgramFiles%\McAfee\VirusScan Enterprise\*.bof    Yes    Read/Write    Default / High    McAfee    Client/Server    McAfee VirusScan Enterprise

**\McAfee\VirusScan Enterprise\Quarantine\    No    Read/Write    Default / High    McAfee    Client/Server    McAfee VirusScan Enterprise

All files of type LDB     - -    Read/Write    Default / High    Microsoft    Client    MS Access Temp Database File

All files of type MDF     - -    Read/Write    Default / High    Microsoft    Client/Server    SQL Server Data Files

All files of type NDF     - -    Read/Write    Default / High    Microsoft    Client/Server    SQL Server secondary Data Files

All files of type LDF     - -    Read/Write    Default / High    Microsoft    Client/Server    SQL Server Data Files

All files of type TRN     - -    Read/Write    Default / High    Microsoft    Client/Server    SQL Server Backup Files

All files of type BAK     - -    Read/Write    Default / High    Microsoft    Client/Server    SQL Server Backup Files

All files of type DIT     - -    Read/Write    Default / High    Micosoft    Server    Microsoft Active Directory Data Store

All files of type EDB     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange Database File

All files of type STM     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange Database File

All files of type DBS     - -    Read/Write    Default / High     - -    Client/Server    Common Database Format (MSAccess, Corel Paradox, Synopsys Design Compiler)

**\NTUser.pol     - -    Read/Write    Default / High    Microsoft    Client/Server    Microsoft Windows Group Policy Files

**\regsitry.pol     - -    Read/Write    Default / High    Microsoft    Client/Server    Microsoft Windows Group Policy Files

%SYSTEMROOT%\**\edb*.log     - -    Read/Write    Default / High    Microsoft    Server    Microsoft - NTDS, Security, NTFRS, Upate - Log Files

%Systemroot%\SoftwareDistribution\Datastore\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Distributed Transaction Coordinator (Datastore.edb)

%systemroot%\Sysvol\    No    Read/Write    Default / High    Microsoft    Server    Microsoft Domain Controller (FRS Service)

%systemroot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Domain Controller (FRS Service) (FRS PreInstalled)

%systemroot%\sysvol\staging\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Domain Controller (FRS Service)

%systemroot%\sysvol\staging areas\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Domain Controller (FRS Service)

%systemroot%\system32\dhcp\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft DHCP Server

%systemroot%\system32\dns\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft DNS Services

%SYSTEMROOT%\System32\wins\wins.mdb     - -    Read/Write    Default / High    Microsoft    Server    Microsoft WINS Services

%SYSTEMROOT%\System32\wins\winstemp.mdb     - -    Read/Write    Default / High    Microsoft    Server    Microsoft WINS Services

%systemroot%\ntds\*.edb     - -    Read/Write    Default / High    Microsoft    Server    Microsoft DNS Server (Active Directory Transaction LOGs)

%systemroot%\ntds\*.log     - -    Read/Write    Default / High    Microsoft    Server    Microsoft DNS Server (Active Directory Transaction LOGs)

%systemroot%\ntds\*.chk     - -    Read/Write    Default / High    Microsoft    Server    Microsoft DNS Server (Active Directory Transaction LOGs)

%systemroot%\ntds\*.dit     - -    Read/Write    Default / High    Microsoft    Server    Microsoft DNS Server (Active Directory Transaction LOGs) ntds.dit

%systemroot%\ntfrs\*.edb     - -    Read/Write    Default / High    Microsoft    Server    Microsoft File Replication (NTFR)

%systemroot%\ntfrs\*.log     - -    Read/Write    Default / High    Microsoft    Server    Microsoft File Replication (NTFR)

%systemroot%\ntfrs\*.chk     - -    Read/Write    Default / High    Microsoft    Server    Microsoft File Replication (NTFR)

%systemroot%\security\*.edb     - -    Read/Write    Default / High    Microsoft    Client/Server    Microsoft Windwos LOGs

%systemroot%\security\*.sdb     - -    Read/Write    Default / High    Microsoft    Client/Server    Microsoft Windwos LOGs (Local Security Database)

%systemroot%\security\*.log     - -    Read/Write    Default / High    Microsoft    Client/Server    Microsoft Windwos LOGs

%systemroot%\security\*.chk     - -    Read/Write    Default / High    Microsoft    Client/Server    Microsoft Windwos LOGs

%systemroot%\security\*.jrs     - -    Read/Write    Default / High    Microsoft    Client/Server    Microsoft Windwos LOGs

%SYSTEMROOT%\IIS Temporary Compressed Files    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft IIS - Temporary Compressed Files

%SystemRoot%\System32\Inetsrv\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft IIS (Microsoft Exchange Kombination)

%SystemRoot%\IIS Temporary Compressed Files\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft IIS (Microsoft Exchange Kombination)

**\MNS_FSW_DIR*\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft IIS (Microsoft Exchange Kombination)

%Systemroot%\Cluster    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Cluster Services

\clusterserviceaccount\Local Settings\Temp\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Cluster Services - Temp Folder von Service Account

Q:\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Cluster Services - Quorum Drive

%ProgramFiles%\System Center Operations Manager\**\Health Service State\    Yes    Read/Write    Default / High    Microsoft    Client/Server    Microsoft Operations Manager Server - MOM

**\Microsoft\Microsoft Operations Manager\    Yes    Read/Write    Default / High    Microsoft    Client/Server    Microsoft MOM 2005 (Server und Agents)

%ProgramFiles%\**\Health Service Store\    Yes    Read/Write    Default / High    Microsoft    Client/Server    Microsoft MOM 2007 (Server und Agents)

%systemroot%\temp\OpsMgrTrace\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Operations Manager Server - MOM

%ProgramFiles%\**\Config Service State\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Operations Manager Server - MOM

%ProgramFiles%\**\SDK Service State\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Operations Manager Server - MOM

%SYSTEMROOT%\IIS Temporary Compressed Files    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft IIS - Temporary Compressed Files

**\Microsoft SQL Server\MSSQL*\OLAP\Data\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft SQL-2005 Analysis Services

**\Microsoft SQL Server\MSSQL.*\OLAP\Backup\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft SQL-2005 Analysis Services Backup Files

**\Microsoft SQL Server\MSSQL.*\OLAP\Log\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft SQL-2005 Analysis Services Log Files

**\Microsoft SQL Server\**\FTDATA\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft SQL-2005 Full-text Catalog Files

**\MSDTC.log         - -     - -     Microsoft    Server    Microsoft Distributed Transaction Coordinator LogFile

%Systemroot%\system32\catroot2\*.log         - -     - -     Microsoft    Client/Server    Windows Update

%Systemroot%\system32\catroot2\*.chk         - -     - -     Microsoft    Client/Server    Windows Update

**\system32\wbem\logs\framework.log     - -     - -    Default / High    IBM    Client/Server    TSM Backup

**\oracle\oradata\*.dbf     - -     - -    Default / High    Oracle    Server    Oracle Datenbank Server

**\oracle\Inventory\logs\*.log     - -     - -    Default / High    Oracle    Server    Oracle Datenbank Server

**\oracle\oradata\*.ctl     - -     - -    Default / High    Oracle    Server    Oracle Datenbank Server

%Systemroot%\CSC    Yes    Read/Write    Default / High    Microsoft    Client    Microsoft Client Side Caching

%Systemroot%\system32\config\    Yes    Read/Write    Default / High    Microsoft    Client/Server    Microsoft Application, System, Security Log etc.

**\mcscript_inuse.exe     - -    Read/Write    Default / High    McAfee    Client/Server    McAfee Agent

**\Exchsrvr\Mdbdata\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange - LOG Files, MTA

**\Exchsrvr\Mailroot\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange - virtual Server Folder

**\Exchsrvr\Srsdata\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange Site Replication Service (SRS)

**\Exchsrvr\*.log     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange - LOG Files

**\Microsoft\Exchange Server\Logging\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Logging

**\Microsoft\Exchange Server\ExchangeOAB\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Offline Address Book

**\Microsoft\Exchange Server\Working\OleConvertor\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 OLE Conversions

**\Microsoft\Exchange Server\Mailbox\MDBTEMP\    Yes    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Mailbox Database temporary

%ProgramFiles%\Microsoft\Exchange Server\**\*.config     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Application-related  Extension Excl.

%ProgramFiles%\Microsoft\Exchange Server\**\*.dia     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Application-related  Extension Excl.

%ProgramFiles%\Microsoft\Exchange Server\**\*.wsb     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Application-related  Extension Excl.

%ProgramFiles%\Microsoft\Exchange Server\**\*.edb     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Database-related extension Excl.

%ProgramFiles%\Microsoft\Exchange Server\**\*.log     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Database-related extension Excl.

%ProgramFiles%\Microsoft\Exchange Server\**\*.chk     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Database-related extension Excl.

%ProgramFiles%\Microsoft\Exchange Server\**\*.jrs     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Database-related extension Excl.

%ProgramFiles%\Microsoft\Exchange Server\**\*.que     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Database-related extension Excl.

%ProgramFiles%\Microsoft\Exchange Server\**\*.lzx     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Offline Address Book-related extension Exclusions

%ProgramFiles%\Microsoft\Exchange Server\**\*.ci     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Content Index-related extension Excl.

%ProgramFiles%\Microsoft\Exchange Server\**\*.wid     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Content Index-related extension Excl.

%ProgramFiles%\Microsoft\Exchange Server\**\*.dir     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Content Index-related extension Excl.

%ProgramFiles%\Microsoft\Exchange Server\**\*.000     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Content Index-related extension Excl.

%ProgramFiles%\Microsoft\Exchange Server\**\*.00?     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Content Index-related extension Excl.

%ProgramFiles%\Microsoft\Exchange Server\**\*.cfg     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Unified Messaging-related extension Exclusions

%ProgramFiles%\Microsoft\Exchange Server\**\*.grxml     - -    Read/Write    Default / High    Microsoft    Server    Microsoft Exchange 2007 Unified Messaging-related extension Exclusions

**\Network Security Manager\MySQL\    Yes    Read/Write    Default / High    McAfee    Server    McAFee Intrushield Manager

**\pagefile.sys     - -    Read/Write    Default / High    McAfee    Server    Microsoft Windows Systeme

**\jet\sys\edb.chk     - -    Read/Write    Default / High    Microsoft    Client    Microsoft File Replication am Client

**\jet\ntfrs.jdb     - -    Read/Write    Default / High    Microsoft    Client    Microsoft File Replication am Client

**\jet\log\*.log     - -    Read/Write    Default / High    Microsoft    Client    Microsoft File Replication am Client

Nachricht geändert durch Troja on 25.01.12 17:48:26 MEZ

Re: Virus Scan Policy Best Practices

Very nice compliation Troja.

Do the exclusions have to be added to the default and high policy for the exclusion, or just one or the other?

Thanks.

Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 40 of 49

Re: Virus Scan Policy Best Practices

Hi Greg,

yes of corse. "Default/High" means the exclusion is set in the default process policies und high risk policies.

cheers,

Thorsten

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community