Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exclusuions in ePO regarding On Acess Scanner

I am currently configuring my ePO with exclusions for different server types. I am also trying to avoid to many policies in my ePO server. But as I am struggling with this configuration I am suffering from non-standard server and installations...

On some servers the files I am trying to exclude lies on C:, on other servers D:. What is best practise:

1. Make an profile per server that matches each server perfect
2. Make an general profile with exclusions that matches every server in my server group
4 Replies

RE: Exclusuions in ePO regarding On Acess Scanner

The fewer policies you have, the easier to manage, and therefore less likely to go wrong 🙂

All things being equal, I would set up two groups, and set the policies at the group level.

Let's say you want to exclude either C:\FOOBAR or D:\FOOBAR depending on which Drive FOOBAR is installed...

+ GROUP-C-FOOBAR <-- apply the policy exclusion here
| + Server A
| + Server B
+ GROUP-D-FOOBAR <-- apply the policy exclusion here
| + Server C
| + Server D

Of course - if it really IS as simple as I've shown above, then you can also set a policy at the top level excluding **\FOOBAR\ - which will exclude foobar irrespective of which drive it is on, or how far down the path it is...

RE: Exclusuions in ePO regarding On Acess Scanner

Now the reality is not that simple...

For example:
Server 1: MSSQL, IIS
Server 3: Oracle, IIS
Server 4: IIS
Server 5: exchange, IIS
and so on...

I am trying to set exclusions based om the applications on the server. And the application/services are scattered in many different combinations. I dont have x servers running IIS and y servers running oracle. It is all mixed up...

I should need policies that aggregates/cumulative (I think that is the english word for it). In other words, several policies on one server, if you understand...
Level 7
Report Inappropriate Content
Message 4 of 5

RE: Exclusuions in ePO regarding On Acess Scanner

Yeah, this is a feature that ePO/VSE is missing alright that would be pretty handy.

It would be great to define a primary VSE policy - say Global_Default which excludes things like pagefile.sys and other standards, then a sub policy called IIS, then another one called Oracle, etc . . .

Then you could apply a series of policies based on tags - so everything would get Global_Default, the ones you have tagged as IIS servers would get the IIS policy, the ones with IIS & Oracle tag would get both extra policies, etc . . .

As you have described above, it's almost impossible to create policies to match all the combinations of servers you have. And it's not just as simple as bunging all the exclusions into one big policies - there are reasons you might want to exclude some things for Oracle but not exclude them for IIS.

Come on McAfee . . . lose the monolithic approach to policy creation and make it more flexible, like for the real world.


RE: Exclusuions in ePO regarding On Acess Scanner

I agree a more flexible approach would be welcome...but with what we've got today, you have a couple of options, ShootKing

a) Have the one generic policy that covers all bases - using the '**' wildcard
e.g. Exclude **\Oracle\ & **\Exchange\
It will exclude the items on each server IF THEY ARE INSTALLED/THERE.....

b) Have specific exclusions for each combination of software

..but you already knew that 🙂

Perhaps if you workout your individual exclusions you can see where a minor change to the exclusions can be used to reduce the number of groups - e.g. all mail servers in one group, all infrastructure in another, etc. This half-way-house may not be ideal, but may give you the right level of protection across the right servers...

Good Luck
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community