5 Replies Latest reply on Jun 24, 2010 5:56 PM by dppcmsj

    Help with folder exclusions...

    DarrenFord

      Hi Guys...

       


      Maybe someone can assist me with this , I have a application owner who's application is having issues dude to McAfee OAS.

      The folders contain all file type and the business unit has requested that the folders be excluded totally but after test we have found that the file are contantly getting infected.

       

      Is there another way to get around this?

       

      Thanks in advance..

      Regards

      Darren

        • 1. Re: Help with folder exclusions...
          PhilR

          We could do with a few clues...

           

          What's the application?

           

          What issues are being caused?

           

          What are the infections?

           

          Where are they coming from?

          • 2. Re: Help with folder exclusions...
            DarrenFord

            Hi Phil...

             

            Apologies on the lack of info but its hard to pinpoint some of the info...

             

            The application is called BDS and its a inhouse developed banking application used as the interface between the teller and the client when in the bank.

            When the business requested *.* exclusions on the entire folder we tested this as a POC and found that the files were being hit with Sality, Mabezat and others...

            These files are stored on the BDS server and the teller machines pull files from this server daily and when the files are infected they are deleted or no longer work.

            This renders the branch teller machine useless.

             

            Please let me know if you require any further info...

             

            Thanks

            Darren

            • 3. Re: Help with folder exclusions...
              PhilR

              You're going to need to trace the infection source and method in order to come up with a suitable solution.

               

              If infected files are getting on to a server you may have big problems elsewhere.

               

              If teller machines are infected with malware, they might also have keystroke loggers and similar nasties.

               

              In a banking environment, that is truly scary.

               

              Phil

               

               

              Message was edited by: PhilR on 23/06/10 08:10:39 CDT
              • 4. Re: Help with folder exclusions...

                Hi,

                 

                Most people will just randomly ask for full exclusions. You shouldn't give that to them without a good reason. In a situation like this you way want to look at the OAS logs and see where it is taking a long time to scan files. Also you can exclude all the non-executable extensions that are found inside the folder. Most problems happen with very large files, compressed files with lots of small files inside or directories with files are always changing like logs and so on.

                 

                Don't give in to random exclusions or more and more will be added until you have so many that the AV is basically doing nothing, because all the important executables can be infected and you will never see it. You might already have this problem, check if some other already excluded path is not infecting the files for this new application. Run a full scan without exclusions if that is possible.

                 

                Seriously, when you are a bank and you have random infections on your production network I would get seriously worried, because if dumb virus get in other more directed stuff can get in.

                • 5. Re: Help with folder exclusions...

                  I would have to agree with the other sentiments expressed in this thread.

                   

                  You should *never* blindly exlcude entire folders just because some developer asks for it. We get these types of requests all the time, and always force them to tell us why any exclusions should be added. We can almost always get them to narrow it down to specific file types based on the questions that others have already stated here in order to limit the attack vectors.

                   

                  The fact that you are seeing malware infections on the folders that are now excluded should be more than enough evidence that this is a bad idea, and the developers must be able to provide you with very specific information as to what file types are continually written to/changed, and if there are any specific subdirectories and/ or file types that can be excluded rather than just *.* on an entire directory.

                   

                  You may also want to review the current VSE policy settings. Chances are they are not strong enough and malware that could be caught is being allowed to slip by.