I setup my EPO to send me scan timeout emails so that I know when these are happening. My concern is for timeouts that appear to be program related. If McAfee is scanning the file and the program needs it there may be some issues with the program. So far I have no gotten much help from software venders as to what to exclude and so was wondering what how you guys handle this one.
Just trying to get a sense of what others are doing..
that depends on what kind of file and in dependency what kind of System (DB-Server, Domaincontroller, Exchangeserver, dedicated Servers for appliances etc) the timeout occurs. Normally you will find Whitepapers for most of Systems when typing "Virusscan Exclusion for xyz" in google and McAfee itself has Whitepapers for several products.
But to be more helpful (doubt that I can help as much than others) it would be a good start to describe what kind of files causes the timeout or in which context they are running/ used. Normally we investigate the necessaritiy of scanning those files and create an analysis if we will exclude those Files or folders for performance improvement or due to security reasons not.
Some links for Exclusions:
-Domain Controller https://platinum.mcafee.com/article.aspx?page=content&id=KB57308
-Orcale DB https://platinum.mcafee.com/article.aspx?page=content&id=KB54817
-NAS/SAN Mountpoints https://platinum.mcafee.com/article.aspx?page=content&id=KB54457
- defining and understanding of exclusions https://platinum.mcafee.com/Article.aspx?id=KB66909
Other vendor recommendations can be tricky, since they sometimes only have their application's performance in mind, and not security. I have seen one well known software vendor, the name I will not divulge to protect the guilty, recommend removing any anti-virus software references from the Run key in the registry . Either way, I always ask and look for the vendor recommendation as a starting point. If you find a rediculous recommendation, you as a customer might want to let them know before they lead other customers astray.
Don's reply above is where I would start too. My best recommendation for this kind of tuning is that you avoid folder exclusions. Most of the time you can define one of the following based on scan time-outs and vendor recommendations, which is much less risky:
1. Low-risk processes with scan on-read disabled in your low-risk policy (try to leave scan on-write on).
2. File-type exclusions
3. File exclusions. If you can, try to make these path specific (ex. **\Program Files (x86)\YourApp\Logs\server.log )
One example that I have seen is if you are scanning compressed files, you will see .jar files in your scan time-outs. To avoid this, .jar files were put in as a read exclusion for the default and low-risk categories. This improved java based applications' performance.
We have learned to accept "Scan Timed Out" events as just part of life, we have actually filtered them out of our AV reports because they are so numerous, despite taking advantage of file type exclusions, process exclusions, etc.
And LOL about the Run key thing Eric.