Is anyone familiar with the exclusion syntax with the prefix "\:::" for ePO/VSE process exclusion? Is it documented anywhere?
I can find no documentation anywhere on what this syntax means - it appears to function as if it references the current McAfee VSE install directory on the client.
The instance of this syntax is located in our ePO installation (that I inherited) in an assigned policy at the root of the system tree of category: VirusScan Enterprise 8.8.0 : Access Protection Policies
Within this policy and the defined access protection rules under category "Common Standard Protection" : Prevent modification of McAfee files and settings it has a bunch of executables its excluding with this odd syntax.
The executables being excluded are in the VSE folder and do seem to be successfully excluded -
EXCEPT in the case when we were updating HIPS on the clients - this caused the exclusions to fail until we restart the clients - at which point the exclusions start working again.
That's odd, never seen wildcards like that before. Usually they are something like the below:
Wildcards (**,*, ?) are helpful in creating exclusions for VSE, but certain rules apply (see examples below).
•The ? wildcard is used to represent a single character in the exact position where it is placed in the path or file name.
•The * wildcard is used to represent partial filenames or extensions with one or more characters from the exact position where it is placed in the path \ file given.
•The ** wildcard is generally used for (partial) filenames or extensions with one or more characters from the exact position where it is placed in the path \ file given.
•System Environmental Variables such as %SystemRoot% can be used in exclusions. User Environmental Variables such as %UserProfile% cannot because the On‑Access scanner runs under the Windows Local System account.
We have wildcards within VSE for things like this, but never seen the ::: before