cancel
Showing results for 
Search instead for 
Did you mean: 
becke
Level 9
Report Inappropriate Content
Message 1 of 3

odd exclusion syntax in ePO for VSE

Is anyone familiar with the exclusion syntax with the prefix "\:::" for ePO/VSE process exclusion? Is it documented anywhere?

I can find no documentation anywhere on what this syntax means - it appears to function as if it references the current McAfee VSE install directory on the client.

The instance of this syntax is located in our ePO installation (that I inherited) in an assigned policy at the root of the system tree of category: VirusScan Enterprise 8.8.0 : Access Protection Policies

Within this policy and the defined access protection rules under category "Common Standard Protection" : Prevent modification of McAfee files and settings it has a bunch of executables its excluding with this odd syntax.

exclusions.png

The executables being excluded are in the VSE folder and do seem to be successfully excluded -

EXCEPT in the case when we were updating HIPS on the clients - this caused the exclusions to fail until we restart the clients - at which point the exclusions start working again.

2 Replies

Re: odd exclusion syntax in ePO for VSE

I suggest you to config your HIPS on Adaptive mode for a while then see the result.

Re: odd exclusion syntax in ePO for VSE

That's odd, never seen wildcards like that before. Usually they are something like the below:

Wildcards (**,*, ?) are helpful in creating exclusions for VSE, but certain rules apply (see examples below).

•The ? wildcard is used to represent a single character in the exact position where it is placed in the path or file name.

•The * wildcard is used to represent partial filenames or extensions with one or more characters from the exact position where it is placed in the path \ file given.

•The ** wildcard is generally used for (partial) filenames or extensions with one or more characters from the exact position where it is placed in the path \ file given.

•System Environmental Variables such as %SystemRoot% can be used in exclusions. User Environmental Variables such as %UserProfile% cannot because the On‑Access scanner runs under the Windows Local System account.

We have wildcards within VSE for things like this, but never seen the ::: before

**\*.html

<driveSmiley Embarassed\**\test.exe

<driveSmiley Embarassed\**\*.tmp