3 Replies Latest reply on Sep 3, 2010 12:05 PM by rmetzger

    Exclusions - low risk vs. default for on access scans?

    kjhurni

      When you are going into the exclusions in VSE 8.5/8.7 (ie, you want to exclude a file or a directory):

       

      Which do you put where?

       

      Meaning, let's say you have a process defined in the "low risk" policy.  Do you put the file exclusion in the low risk?

       

      Or what if you're not sure which "thing" is scanning that directory/file, do you put the exclusion in the default policy section?

       

      I know which services I want to define as low risk, just not sure about the "exclusion" part.

       

      In other words, if you put it in the low-risk does it only get excluded from scanning if it's being "touched" by one of the services listed in the low-risk processes?

        • 1. Re: Exclusions - low risk vs. default for on access scans?
          rmetzger

          kjhurni wrote:

           

          ...

           

          In other words, if you put it in the low-risk does it only get excluded from scanning if it's being "touched" by one of the services listed in the low-risk processes?

          Yes! That is the point of Low-Risk processes and the associated exclusions. Other processes are not Low-Risk and the exclusion does not Apply to those other processes.

           

          So, if I have a custom built application (for which I have complete confidence in) that accesses a specific file repeatedly, I would place that process / application in the low-risk profile, and exclude the accessed file from scanning within the low-risk profile. Later, I access that (excluded) file via Internet Explorer. That access (by Internet Explorer) Should be scanned, since Internet Explorer is not defined as the low-risk process with the exclusion for that file.

           

          Hope this makes sense.

          Ron Metzger

          • 2. Re: Exclusions - low risk vs. default for on access scans?
            kjhurni

            Thanks Ron

             

            Yes, that makes sense.

             

            So the "exclusions" in low-risk only really work if it "matches" up with the processes you already defined.

             

            Okay good.

             

            (the docs from McAfee are not really clear on how that all works)

             

            I am also assuming that if you did NOT have the "right" stuff in the low-risk that the default ones would then take over (assuming it's not finding a match in the high-risk section).

            • 3. Re: Exclusions - low risk vs. default for on access scans?
              rmetzger

              kjhurni wrote:

               

              ...

               

              Yes, that makes sense.

               

              ...

              I am also assuming that if you did NOT have the "right" stuff in the low-risk that the default ones would then take over (assuming it's not finding a match in the high-risk section).

              Exactly.

               

              Care must be taken when defining the same process in both the low-risk and high-risk processes. It gets tricky. A great deal of testing should be done in that case, say, where you have a browser based application running locally, but you want to lock down Internet access.

               

              Have fun.

              Ron Metzger