cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jmaxwell
Level 7
Report Inappropriate Content
Message 41 of 49

Re: Virus Scan Policy Best Practices

Silly question but can the exclusions listed above simply be cut/pasted into the epo policy fields ?

Troja
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 42 of 49

Re: Virus Scan Policy Best Practices

Hi jmaxwell,

there are no stupid questions, just stupid answers sometimes! 🙂

Yes, you can copy paste the exclusions directly into your EPO policy for Virusscan exclusions. Added a fresh copy for the exclusions. I this versino is easier to read.

ExclusionSubdirectoryScanPolicyVendorOSinfo
**\McAfee\Common Framework\AgentEvents\YesRead/WriteDefault / HighMcAfeeClient/ServerMcAfee Framework Service Events
\Device\SafeBootFSVolumes\Disk0\YesRead/WriteDefault / HighMcAfeeClient/ServerMcAFee Endpoint Encryption
%ProgramFiles%\McAfee\VirusScan Enterprise\*.bofYesRead/WriteDefault / HighMcAfeeClient/ServerMcAfee VirusScan Enterprise
**\McAfee\VirusScan Enterprise\Quarantine\NoRead/WriteDefault / HighMcAfeeClient/ServerMcAfee VirusScan Enterprise
All files of type LDB- -Read/WriteDefault / HighMicrosoftClientMS Access Temp Database File
All files of type MDF- -Read/WriteDefault / HighMicrosoftClient/ServerSQL Server Data Files
All files of type NDF- -Read/WriteDefault / HighMicrosoftClient/ServerSQL Server secondary Data Files
All files of type LDF- -Read/WriteDefault / HighMicrosoftClient/ServerSQL Server Data Files
All files of type TRN- -Read/WriteDefault / HighMicrosoftClient/ServerSQL Server Backup Files
All files of type BAK- -Read/WriteDefault / HighMicrosoftClient/ServerSQL Server Backup Files
All files of type DIT- -Read/WriteDefault / HighMicosoftServerMicrosoft Active Directory Data Store
All files of type EDB- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange Database File
All files of type STM- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange Database File
All files of type DBS- -Read/WriteDefault / High- -Client/ServerCommon Database Format (MSAccess, Corel Paradox, Synopsys Design Compiler)
**\NTUser.pol- -Read/WriteDefault / HighMicrosoftClient/ServerMicrosoft Windows Group Policy Files
**\regsitry.pol- -Read/WriteDefault / HighMicrosoftClient/ServerMicrosoft Windows Group Policy Files
%SYSTEMROOT%\**\edb*.log- -Read/WriteDefault / HighMicrosoftServerMicrosoft - NTDS, Security, NTFRS, Upate - Log Files
%Systemroot%\SoftwareDistribution\Datastore\YesRead/WriteDefault / HighMicrosoftServerMicrosoft Distributed Transaction Coordinator (Datastore.edb)
%systemroot%\Sysvol\NoRead/WriteDefault / HighMicrosoftServerMicrosoft Domain Controller (FRS Service)
%systemroot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_DirectoryYesRead/WriteDefault / HighMicrosoftServerMicrosoft Domain Controller (FRS Service) (FRS PreInstalled)
%systemroot%\sysvol\staging\YesRead/WriteDefault / HighMicrosoftServerMicrosoft Domain Controller (FRS Service)
%systemroot%\sysvol\staging areas\YesRead/WriteDefault / HighMicrosoftServerMicrosoft Domain Controller (FRS Service)
%systemroot%\system32\dhcp\YesRead/WriteDefault / HighMicrosoftServerMicrosoft DHCP Server
%systemroot%\system32\dns\YesRead/WriteDefault / HighMicrosoftServerMicrosoft DNS Services
%SYSTEMROOT%\System32\wins\wins.mdb- -Read/WriteDefault / HighMicrosoftServerMicrosoft WINS Services
%SYSTEMROOT%\System32\wins\winstemp.mdb- -Read/WriteDefault / HighMicrosoftServerMicrosoft WINS Services
%systemroot%\ntds\*.edb- -Read/WriteDefault / HighMicrosoftServerMicrosoft DNS Server (Active Directory Transaction LOGs)
%systemroot%\ntds\*.log- -Read/WriteDefault / HighMicrosoftServerMicrosoft DNS Server (Active Directory Transaction LOGs)
%systemroot%\ntds\*.chk- -Read/WriteDefault / HighMicrosoftServerMicrosoft DNS Server (Active Directory Transaction LOGs)
%systemroot%\ntds\*.dit- -Read/WriteDefault / HighMicrosoftServerMicrosoft DNS Server (Active Directory Transaction LOGs) ntds.dit
%systemroot%\ntfrs\*.edb- -Read/WriteDefault / HighMicrosoftServerMicrosoft File Replication (NTFR)
%systemroot%\ntfrs\*.log- -Read/WriteDefault / HighMicrosoftServerMicrosoft File Replication (NTFR)
%systemroot%\ntfrs\*.chk- -Read/WriteDefault / HighMicrosoftServerMicrosoft File Replication (NTFR)
%systemroot%\security\*.edb- -Read/WriteDefault / HighMicrosoftClient/ServerMicrosoft Windwos LOGs
%systemroot%\security\*.sdb- -Read/WriteDefault / HighMicrosoftClient/ServerMicrosoft Windwos LOGs (Local Security Database)
%systemroot%\security\*.log- -Read/WriteDefault / HighMicrosoftClient/ServerMicrosoft Windwos LOGs
%systemroot%\security\*.chk- -Read/WriteDefault / HighMicrosoftClient/ServerMicrosoft Windwos LOGs
%systemroot%\security\*.jrs- -Read/WriteDefault / HighMicrosoftClient/ServerMicrosoft Windwos LOGs
%SYSTEMROOT%\IIS Temporary Compressed FilesYesRead/WriteDefault / HighMicrosoftServerMicrosoft IIS - Temporary Compressed Files
%SystemRoot%\System32\Inetsrv\YesRead/WriteDefault / HighMicrosoftServerMicrosoft IIS (Microsoft Exchange Kombination)
%SystemRoot%\IIS Temporary Compressed Files\YesRead/WriteDefault / HighMicrosoftServerMicrosoft IIS (Microsoft Exchange Kombination)
**\MNS_FSW_DIR*\YesRead/WriteDefault / HighMicrosoftServerMicrosoft IIS (Microsoft Exchange Kombination)
%Systemroot%\ClusterYesRead/WriteDefault / HighMicrosoftServerMicrosoft Cluster Services
\clusterserviceaccount\Local Settings\Temp\YesRead/WriteDefault / HighMicrosoftServerMicrosoft Cluster Services - Temp Folder von Service Account
Q:\YesRead/WriteDefault / HighMicrosoftServerMicrosoft Cluster Services - Quorum Drive
%ProgramFiles%\System Center Operations Manager\**\Health Service State\YesRead/WriteDefault / HighMicrosoftClient/ServerMicrosoft Operations Manager Server - MOM
**\Microsoft\Microsoft Operations Manager\YesRead/WriteDefault / HighMicrosoftClient/ServerMicrosoft MOM 2005 (Server und Agents)
%ProgramFiles%\**\Health Service Store\YesRead/WriteDefault / HighMicrosoftClient/ServerMicrosoft MOM 2007 (Server und Agents)
%systemroot%\temp\OpsMgrTrace\YesRead/WriteDefault / HighMicrosoftServerMicrosoft Operations Manager Server - MOM
%ProgramFiles%\**\Config Service State\YesRead/WriteDefault / HighMicrosoftServerMicrosoft Operations Manager Server - MOM
%ProgramFiles%\**\SDK Service State\YesRead/WriteDefault / HighMicrosoftServerMicrosoft Operations Manager Server - MOM
%SYSTEMROOT%\IIS Temporary Compressed FilesYesRead/WriteDefault / HighMicrosoftServerMicrosoft IIS - Temporary Compressed Files
**\Microsoft SQL Server\MSSQL*\OLAP\Data\YesRead/WriteDefault / HighMicrosoftServerMicrosoft SQL-2005 Analysis Services
**\Microsoft SQL Server\MSSQL.*\OLAP\Backup\YesRead/WriteDefault / HighMicrosoftServerMicrosoft SQL-2005 Analysis Services Backup Files
**\Microsoft SQL Server\MSSQL.*\OLAP\Log\YesRead/WriteDefault / HighMicrosoftServerMicrosoft SQL-2005 Analysis Services Log Files
**\Microsoft SQL Server\**\FTDATA\YesRead/WriteDefault / HighMicrosoftServerMicrosoft SQL-2005 Full-text Catalog Files
**\MSDTC.log- -- - MicrosoftServerMicrosoft Distributed Transaction Coordinator LogFile
%Systemroot%\system32\catroot2\*.log- -- - MicrosoftClient/ServerWindows Update
%Systemroot%\system32\catroot2\*.chk- -- - MicrosoftClient/ServerWindows Update
**\system32\wbem\logs\framework.log- -- -Default / HighIBMClient/ServerTSM Backup
**\oracle\oradata\*.dbf- -- -Default / HighOracleServerOracle Datenbank Server
**\oracle\Inventory\logs\*.log- -- -Default / HighOracleServerOracle Datenbank Server
**\oracle\oradata\*.ctl- -- -Default / HighOracleServerOracle Datenbank Server
%Systemroot%\CSCYesRead/WriteDefault / HighMicrosoftClientMicrosoft Client Side Caching
%Systemroot%\system32\config\YesRead/WriteDefault / HighMicrosoftClient/ServerMicrosoft Application, System, Security Log etc.
**\mcscript_inuse.exe- -Read/WriteDefault / HighMcAfeeClient/ServerMcAfee Agent
**\Exchsrvr\Mdbdata\YesRead/WriteDefault / HighMicrosoftServerMicrosoft Exchange - LOG Files, MTA
**\Exchsrvr\Mailroot\YesRead/WriteDefault / HighMicrosoftServerMicrosoft Exchange - virtual Server Folder
**\Exchsrvr\Srsdata\YesRead/WriteDefault / HighMicrosoftServerMicrosoft Exchange Site Replication Service (SRS)
**\Exchsrvr\*.log- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange - LOG Files
**\Microsoft\Exchange Server\Logging\YesRead/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Logging
**\Microsoft\Exchange Server\ExchangeOAB\YesRead/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Offline Address Book
**\Microsoft\Exchange Server\Working\OleConvertor\YesRead/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 OLE Conversions
**\Microsoft\Exchange Server\Mailbox\MDBTEMP\YesRead/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Mailbox Database temporary
%ProgramFiles%\Microsoft\Exchange Server\**\*.config- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Application-related  Extension Excl.
%ProgramFiles%\Microsoft\Exchange Server\**\*.dia- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Application-related  Extension Excl.
%ProgramFiles%\Microsoft\Exchange Server\**\*.wsb- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Application-related  Extension Excl.
%ProgramFiles%\Microsoft\Exchange Server\**\*.edb- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Database-related extension Excl.
%ProgramFiles%\Microsoft\Exchange Server\**\*.log- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Database-related extension Excl.
%ProgramFiles%\Microsoft\Exchange Server\**\*.chk- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Database-related extension Excl.
%ProgramFiles%\Microsoft\Exchange Server\**\*.jrs- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Database-related extension Excl.
%ProgramFiles%\Microsoft\Exchange Server\**\*.que- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Database-related extension Excl.
%ProgramFiles%\Microsoft\Exchange Server\**\*.lzx- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Offline Address Book-related extension Exclusions
%ProgramFiles%\Microsoft\Exchange Server\**\*.ci- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Content Index-related extension Excl.
%ProgramFiles%\Microsoft\Exchange Server\**\*.wid- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Content Index-related extension Excl.
%ProgramFiles%\Microsoft\Exchange Server\**\*.dir- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Content Index-related extension Excl.
%ProgramFiles%\Microsoft\Exchange Server\**\*.000- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Content Index-related extension Excl.
%ProgramFiles%\Microsoft\Exchange Server\**\*.00?- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Content Index-related extension Excl.
%ProgramFiles%\Microsoft\Exchange Server\**\*.cfg- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Unified Messaging-related extension Exclusions
%ProgramFiles%\Microsoft\Exchange Server\**\*.grxml- -Read/WriteDefault / HighMicrosoftServerMicrosoft Exchange 2007 Unified Messaging-related extension Exclusions
**\Network Security Manager\MySQL\YesRead/WriteDefault / HighMcAfeeServerMcAFee Intrushield Manager
**\pagefile.sys- -Read/WriteDefault / HighMcAfeeServerMicrosoft Windows Systeme
**\jet\sys\edb.chk- -Read/WriteDefault / HighMicrosoftClientMicrosoft File Replication am Client
**\jet\ntfrs.jdb- -Read/WriteDefault / HighMicrosoftClientMicrosoft File Replication am Client
**\jet\log\*.log- -Read/WriteDefault / HighMicrosoftClientMicrosoft File Replication am Client

Cheers,

Thorsten

Nachricht geändert durch Troja on 15.02.12 10:45:06 MEZ
gmchenry
Level 7
Report Inappropriate Content
Message 43 of 49

Re: Virus Scan Policy Best Practices

This is a good resource for exclusions for Microsoft products; http://blogs.technet.com/b/jeff_stokes/archive/2010/05/28/anti-virus-exclusions-and-you.aspx

spongetron
Level 10
Report Inappropriate Content
Message 44 of 49

Re: Virus Scan Policy Best Practices

Hi can someone tell me why I would have to make these exclusion in the default and high risk policy?

Thanks

mmcgary
Level 12
Report Inappropriate Content
Message 45 of 49

Re: Virus Scan Policy Best Practices

You should add directory/file extensions/non-executables to the default on-access policy. Trusted processes should go in low risk and you shoudn't ever need to edit the high risk policy unless you are having a specific issue with a predefined high risk process.

wwarren
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 46 of 49

Re: Virus Scan Policy Best Practices

I know everybody wants a one-fit policy; since that would make life really easy.

But, here's my concern with the published table of exclusions:

1. They're too "open", meaning the hole in your AV protection is larger than it needs to be

2. You don't know why those exclusions are specified

3. Malware writers know exactly where to store their malware, or what to name it in order to avoid detection (even if you have detection available).

4. Exclusions formed in response to product issues is not a valid reason for making an exclusion permanent.

The best practice for exclusions in an AV policy, is to have none... unless you have to. And even then, when they are needed, craft them such that they open as small a hole as is possible. This is done via enabling the Hi/Lo profiles, and assigning exclusions to specific processes only - not blanketing the exclusions for all processes.

For the Community sake, I just want to make sure it's known how I feel about the exclusions . "I" being, William Warren, 11+ years in VSE Tier 3 Support.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
greatscott
Level 12
Report Inappropriate Content
Message 47 of 49

Re: Virus Scan Policy Best Practices

Agreed, I wouldn't be publishing my exclusions list for everyone to see. Just an opinion..

jmaxwell
Level 7
Report Inappropriate Content
Message 48 of 49

Re: Virus Scan Policy Best Practices

Thanks

amk
Level 7
Report Inappropriate Content
Message 49 of 49

Re: Virus Scan Policy Best Practices

well this is really informative thread guys. thanks for sharing this valuable info

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community