4 Replies Latest reply on Apr 12, 2011 3:18 AM by Attila Polinger

    Excluding processes and extensions with more than 3 characters

      Hi guys,

       

      I am following this TechNet article in order to configure exclusions for MS Exchnage 2010 servers. The article recommands excluding some Windows and Exchange related processes. Since there is no a specific option for excluding a process, should I simply exclude them by excluding their file names, e.g. **\cdb.exe and **\cidaemon.exe?

       

      Another question is about file extension which are longer than 3 characters. There are files that should be excluded e.g. .config and .grxml. Since I cannot enter more than 3 characters into the field "by file type", is it okay to set it in the field "by pattern" like this: **\*.config and **\*.grxml.

       

      Thanks

       

      Zoran

        • 1. Re: Excluding processes and extensions with more than 3 characters
          Attila Polinger

          Hi,

           

          the process exclusion is meant to apply to the High and Low risk processes of On Access Scanner, that is, different OAS settings (such as exclusions) will apply to files handled by these processes. You can list process names on these property pages.

           

          Using pattern as in your example  in file exclusion instead of using type exclusion should be okay (since that is a pattern matching exclusion).

           

          I hope I did not misunderstand your questions.

           

          Attila

          1 of 1 people found this helpful
          • 2. Re: Excluding processes and extensions with more than 3 characters

            Hi Attila,

             

            Thanks for your help.

             

            I am familiar with high and low risk process policies, high meaning: scan on write and read, and low meaning: scan on write only. I am not interested in these at all. I saw the tab for exclusions in both high and low risk policies, but it's not clear if items set here are excluded from low/high risk scan modes or they are excluded from scanning all together? Also, when you want to add a process on a list at the first tab (add high/low risk process), there is only 1 field, and if you go to the exclusions tab, it looks the same as the exclusion tab in "on-access" policies. I guess it should be okay to simply add a process (an exe file name without its path) in the first field (by pattern), but I would like someone to confirm this.

             

            Also do I need to exclude processes using high/low risk policies, or I can use on-access ones?

             

            Since I cannot test **\*.xxx I would appreciate if someone could confirm this as well.

             

            Thanks

             

            Zoran

             

            Message was edited by: mauser on 11/04/11 18:03:51 CDT
            • 3. Re: Excluding processes and extensions with more than 3 characters

              Okay, I got it right about setting 3+ characters extensions following this doco

               

              https://kc.mcafee.com/corporate/index?page=content&id=KB50998

               

              A commonerror when configuring exclusions for file extensions is to excludeextensions in the same way as file and folder exclusions. For example, if anapplication writes data to files with the extensions SRTT and SRTS,it may at first seem logical to create the exclusions below:

              • **\*.SRTT (exclude all files with SRTT extension     in any directory or sub-directory)
              • **\*.SRTS (exclude all files with SRTS extension in any     directory or sub-directory)

              These exclusions will work, but you might experience a negative performance impact .It is also harder to manage a large list of individual exclusions. In thisscenario, it is more efficient to add a new extension exclusion for SRT(the three-letter limitation is automatically enforced when you enter theextension to exclude).

               

              Thanks

               

              Zoran

              • 4. Re: Excluding processes and extensions with more than 3 characters
                Attila Polinger

                Hi,

                 

                but it's not clear if items set here are excluded from low/high risk scan modes or they are excluded from scanning all together?

                 

                These exclusions are enforced to different branches in local registry for default, high and low process policies so they must not prevail simultaneously and must be individually the source for exclusion (ie. registry branch for default policy should not prevail when high or low risk policy is in effect).

                 

                when you want to add a process on a list at the first tab (add high/low risk process), there is only 1 field, and if you go to the exclusions tab, it looks the same as the exclusion tab in "on-access" policies

                 

                Do you by chance use ePO in managing these policies? Then there is chance to add more than one process names onto the list.

                The exclusion tab page can look the same as long as the ePO policy title reminds us where we are actually.

                 

                Also do I need to exclude processes using high/low risk policies, or I can use on-access ones

                 

                I feel as if you had some confusion here (sorry if I'd be mistaken): processes are not subject to exclusions. It is the files opened, closed, written, renamed etc. by these processes that could have a different OAS policy. You define process policy to define a different OAS policy Which happens to have its own exclusion list, too.

                 

                If you want a file to be completely excluded from scanning, no matter which process has created it, use the exclusion page of the policy type you are enforcing (default or high/low risk processes).

                 

                Attila