cancel
Showing results for 
Search instead for 
Did you mean: 

Regarding VSE 8.7 Scann exclusions in EPO 4.0

Jump to solution

Hi,

I have a question regarding VSE 8.7 "scann exclusions" in EPO 4.0. I configured the VSE 8.7 policy "On-Access Default Processes Policies" in "Exclusions" some folders "c:\program Files\GFI\*" to exclude this folder from VSE scanning. I also set the option "Also exclude subfolders" to exclude all subfolders and set the options "When to exclude" - "On read" & "On write".

But sometimes I got the VSE malware notification from files on this server in "c:\program Files\GFI\archive\85348634458.eml". I also activated the "Setting for : "Server" in this policy.

What is the reason for this malware notification? I want to exclude this folder from VSE scanning!

In the policy "On-Access Default Processes Policies"  in "Setting for : "Server" in "Processes" I also have set the option "Configure different scanning policies for high-risk, low-risk, and default processes". Can it be that than the exclusions in "On-Access Default Processes Policies" have no effect and I have to configure exclusions in "On-Access High-Risk Processes Policies" & "On-Access Low-Risk Processes Policies" additionaly?

Thanks and greetings from Germany

Janni

1 Solution

Accepted Solutions
apoling
Level 14
Report Inappropriate Content
Message 2 of 10

Re: Regarding VSE 8.7 Scann exclusions in EPO 4.0

Jump to solution

Hello Janni,

it is not clear from your description when exactly you made those exclusions in Defauklt Processes: before you also enabled the High and Low Risk process policies or after that.

If after that, it seems obvious to me, that if a process is listed in High or Low risk process list, and has no exclusion for its own policy panel, then OAS will scan a file that is under the folder (excluded from Default policy) only if the file was manipulated by the said process. See also: https://kc.mcafee.com/corporate/index?page=content&id=KB69805&actp=search&viewlocale=en_US&searchid=...

Therefore I would recommend excluding the same folder within High and Low Risk process policies for Server and/or Workstation.

Useful info on Default, High and Low Risk process policies: https://kc.mcafee.com/corporate/index?page=content&id=KB55139&actp=search&viewlocale=en_US&searchid=...

VSE exclusion Master Article: https://kc.mcafee.com/corporate/index?page=content&id=KB66909&actp=search&viewlocale=en_US&searchid=...

Attila

9 Replies
apoling
Level 14
Report Inappropriate Content
Message 2 of 10

Re: Regarding VSE 8.7 Scann exclusions in EPO 4.0

Jump to solution

Hello Janni,

it is not clear from your description when exactly you made those exclusions in Defauklt Processes: before you also enabled the High and Low Risk process policies or after that.

If after that, it seems obvious to me, that if a process is listed in High or Low risk process list, and has no exclusion for its own policy panel, then OAS will scan a file that is under the folder (excluded from Default policy) only if the file was manipulated by the said process. See also: https://kc.mcafee.com/corporate/index?page=content&id=KB69805&actp=search&viewlocale=en_US&searchid=...

Therefore I would recommend excluding the same folder within High and Low Risk process policies for Server and/or Workstation.

Useful info on Default, High and Low Risk process policies: https://kc.mcafee.com/corporate/index?page=content&id=KB55139&actp=search&viewlocale=en_US&searchid=...

VSE exclusion Master Article: https://kc.mcafee.com/corporate/index?page=content&id=KB66909&actp=search&viewlocale=en_US&searchid=...

Attila

Re: Regarding VSE 8.7 Scann exclusions in EPO 4.0

Jump to solution

Janni,

Would you be able to tell us if the alerts are coming from a OAS (On-Access Scan) or from a ODS (On-Demand Scan)? The reason I ask is that you would need to set the exclusions for both.

Thanks,

David

Re: Regarding VSE 8.7 Scann exclusions in EPO 4.0

Jump to solution

Hi,

the event ID 1027 is from OAS.

Regards Janni

Re: Regarding VSE 8.7 Scann exclusions in EPO 4.0

Jump to solution

Hi Attila,

thank you for your hints. But I don't know, if the policy was modified before or after addding the exclusions. This task was done from onother EPO admin in the past. But you are right, I can also add this exclusions the the low and high risk policies. And is it right, if I add exclusions to the main policy, this new entries will have no effect - ok?

Regards Janni

apoling
Level 14
Report Inappropriate Content
Message 6 of 10

Re: Regarding VSE 8.7 Scann exclusions in EPO 4.0

Jump to solution

Hi Janni,

I would say that if you have enabled default, high and low policies, then you have to synchronise the exclusions or else default policies exlusions won't be effective for OAS scanning files manipulated by processes on high and low processes list.

Attila

Re: Regarding VSE 8.7 Scann exclusions in EPO 4.0

Jump to solution

Janni,

Have you tried c:\program Files\GFI\ or c:\program Files\GFI\*\ instead of c:\program Files\GFI\*

From a McAfee KB:

Solution 2

Single Asterisk

A single asterisk * wildcard is used to denote single directory names.

For example, the exclusion: c:\directory1\*\directory2\ would exclude all of the following folders:

c:\directory1\shandy\directory2\

c:\directory1\roger\directory2\

c:\directory1\tiger\directory2\

c:\directory1\thomas\directory2\

NOTE: The trailing backslashes are mandatory for folder exclusions to work successfully.

David

Re: Regarding VSE 8.7 Scann exclusions in EPO 4.0

Jump to solution

Hi,

thanks for information. One additional question. Is there a functional difference between the VSE exclusions "C:\programm files\GFI\*" , "C:\programm files\GFI" or "C:\programm files\GFI\" ?

Regards Janni

Re: Regarding VSE 8.7 Scann exclusions in EPO 4.0

Jump to solution

Hi Janni,

In this example C:\programm files\GFI\* I'm not sure this would be a valid exclusion based on what I have found in KB50998 as I think you need a trailing backslash.

In this example C:\programm files\GFI the exclusion would be for a file named GFI

and

In this example C:\programm files\GFI\ the exclusion would be for all files in folder GFI and if you selected "Also exclude subfolders" checkbox that should exclude all files in subfolders as well.

One way of testing this would be to implement the test policy and then use the EICAR test file and try saving it in the locations above with the various scenarios.

I hope this helps,

David

Re: Regarding VSE 8.7 Scann exclusions in EPO 4.0

Jump to solution

Hi,

thanks a lot for information.

Regards Janni