Probably an obvious question but I have to ask - what is the relevance of the 'exclusions' section of low-risk and high-risk processes policies? If I have added exclusions to the Default Processes policy, do I also need to add them to the processes policies?
The way that i understand Low risk process policy is that you add a process to the list under processes tab, then under the detections tab you need to add a path to the exclusions section that is excluded (on read\write) when accessed by this process. But this doesn't explain why you would also have the option to exclude read\write under the detection tab.
Also what if i have multiple processes and multple paths that i need to add to low risk process policy, would this then exclude all these processes when acessing all the paths that i have entered under exclusions?
I have being trying to get an understanding of this policy for ages now but i'm yet to find a good explanation of it. Anybody up for the task..?
I have seen this doc before and its probably one of the better ones out there but i still don't think it explains the use of low risk policy fully.
It would be good to get a few exapmles of how people use the low risk and default policy.
Why do we need the option to disable scanning on read\write under the detections tab if we can do this from the exclusions tab? What happens if i need to add multiple processes and multiple exclusion paths, this will cause all these processes to be excluded when they access all the paths, correct? This opens a bigger exclusion than i would have wanted. What happens if i add a process, turn off read\write under the detections tab but i don't add a path to exclude, will this exclude this process when reading\writing to all local drives?
I'm using EPO4, on my policies I have Low-Risk Process, Scan Items, Exclusions and Actions tabs. I think the Scan Items tab correlates with the Detections tab. Excluding read and write on the detections tab is going to exclude all processes that have been specified in the policy from scanning on ALL read/write activity. At that point, the Exclusions tab would be unnecessary.
Basically, the Scan Items/Detections tab impacts processes, the Exclusion impacts specific files.
So for example, lets say I had a virus, badFile.exe, that I wanted to let run to see what it was going to do. If badFile.exe is excluded from read/write on the exclusions tab of the default processes policy, when I kick off badFile.exe using Explorer.exe, McAfee wouldn't scan it and it could load itself into memory. However, since badFile.exe wasn't specified as a Low-Risk process with any Read/Write exclusions, the first time it(badFile.exe) tries to write to disk or read from disk, then McAfee could catch it.
Conversely, if I added badFile.exe to the Low-Risk policy, with read/write excluded on the Scan Items/Detections tab, but not specified on any Exclusion tabs, badFile.exe would never run because McAfee woiuld catch it when Explorer.exe tried to open the file. If however, I disable OnAccess scan, start badFile.exe and then restart McAfee, since badFile.exe is specified as a Low-Risk process that is excluded from scanning on read or write, it would be able to run rampant until some other process tried to read badFile.exe.
This is all qualified with a big "I think" because I've never seen a scan engine flow chart from McAfee, so this is just my understanding.
The Low-Risk High-Risk Default paradigm allows for decent flexibility, but I think what you might be wanting is a Per Application policy, where you can specify exclusion 1 for process y, and exclusion 2 for process z, where as right now you can only specify exclusions 1 and 2 for process y and z.
> Why do we need the option to disable scanning on read\write under the detections tab if we can do this from > the exclusions tab?
Disabling it under the detection tab will disable READ/WRITE scanning for ALL files on a system. Putting it under exclusions will only diable READ/WRITE scanning for the specified files/paths.
> What happens if i need to add multiple processes and multiple exclusion paths, this will cause all these > processes to be excluded when they access all the paths, correct? This opens a bigger exclusion than i would > have wanted.
You are correct. But keep in mind that specifying exlusions only in e.g. low-risk settings is a big security gain as these exclusions are only working when accessed by the specified processes and not for all processes.
> What happens if i add a process, turn off read\write under the detections tab but i don't add a path to > exclude, will this exclude this process when reading\writing to all local drives?
It will generally exclude all scanning operations if this process accesses files (read/write) on the local drive.
I think another easy way to explain the difference between high/low risk processes is that low risk processes get scanned one time when they enter the memory space and that's it. High risk processes are scanned as they enter memory and again every time they access anything on the file system.
I know in our environment we have several apps that make constant calls to hundreds of thousands of files in it's normal use. If we don't have the processes into the low risk category it would basically crater the machine and the application wouldn't run normally.
High risk processes are normally things that have a high likelihood of bringing crap into your environment. All of your browser processes, P2P (if you allow this) apps, chat utilities, etc.
And yes, as it has already been mentioned, it's important to keep the difference between processes and the exclusions in the file system separate in your head.