1 of 1 people found this helpful
the process exclusion is meant to apply to the High and Low risk processes of On Access Scanner, that is, different OAS settings (such as exclusions) will apply to files handled by these processes. You can list process names on these property pages.
Using pattern as in your example in file exclusion instead of using type exclusion should be okay (since that is a pattern matching exclusion).
I hope I did not misunderstand your questions.
Thanks for your help.
I am familiar with high and low risk process policies, high meaning: scan on write and read, and low meaning: scan on write only. I am not interested in these at all. I saw the tab for exclusions in both high and low risk policies, but it's not clear if items set here are excluded from low/high risk scan modes or they are excluded from scanning all together? Also, when you want to add a process on a list at the first tab (add high/low risk process), there is only 1 field, and if you go to the exclusions tab, it looks the same as the exclusion tab in "on-access" policies. I guess it should be okay to simply add a process (an exe file name without its path) in the first field (by pattern), but I would like someone to confirm this.
Also do I need to exclude processes using high/low risk policies, or I can use on-access ones?
Since I cannot test **\*.xxx I would appreciate if someone could confirm this as well.
Okay, I got it right about setting 3+ characters extensions following this doco
A commonerror when configuring exclusions for file extensions is to excludeextensions in the same way as file and folder exclusions. For example, if anapplication writes data to files with the extensions SRTT and SRTS,it may at first seem logical to create the exclusions below:
- **\*.SRTT (exclude all files with SRTT extension in any directory or sub-directory)
- **\*.SRTS (exclude all files with SRTS extension in any directory or sub-directory)
These exclusions will work, but you might experience a negative performance impact .It is also harder to manage a large list of individual exclusions. In thisscenario, it is more efficient to add a new extension exclusion for SRT(the three-letter limitation is automatically enforced when you enter theextension to exclude).
but it's not clear if items set here are excluded from low/high risk scan modes or they are excluded from scanning all together?
These exclusions are enforced to different branches in local registry for default, high and low process policies so they must not prevail simultaneously and must be individually the source for exclusion (ie. registry branch for default policy should not prevail when high or low risk policy is in effect).
when you want to add a process on a list at the first tab (add high/low risk process), there is only 1 field, and if you go to the exclusions tab, it looks the same as the exclusion tab in "on-access" policies
Do you by chance use ePO in managing these policies? Then there is chance to add more than one process names onto the list.
The exclusion tab page can look the same as long as the ePO policy title reminds us where we are actually.
Also do I need to exclude processes using high/low risk policies, or I can use on-access ones
I feel as if you had some confusion here (sorry if I'd be mistaken): processes are not subject to exclusions. It is the files opened, closed, written, renamed etc. by these processes that could have a different OAS policy. You define process policy to define a different OAS policy Which happens to have its own exclusion list, too.
If you want a file to be completely excluded from scanning, no matter which process has created it, use the exclusion page of the policy type you are enforcing (default or high/low risk processes).