6 Replies Latest reply on Jul 27, 2011 12:24 AM by Katalyst

    Novell ZCM exclusions

    Katalyst

      We are in the process of migrating applications from Zen 7 to ZCM and have had a significant number of JS/Exploit-Script alerts during this process. To help the guys doing the application migration I have temporarily disabled VSE on this machine to allow for this to occur without VSE constantly deleting the files. I have reviewed the "Recommended ZCM Anti-Virus Exclusions" posted by Novell, but am slightly concerned with a few things.

       

      Was wondering whether anyone else has run into this and if they have any suggestions / ideas? I don't want to blindly put in exclusions because a vendor recommends it, and leave a gaping hole in our protection in the meantime.

       

      Currently running 8.5 on the majority of the desktops, but aiming to roll out 8.8 before the end of the year. Any exclusions would only be added to VSE 8.8 policies.

       

      Any help is appreciated - even if it is just to ease my paranoia.

        • 1. Re: Novell ZCM exclusions
          kjhurni

          Yes, I've put those exclusions in and it significantly increases the ZCM performance (login times, etc.)

           

          Technically ANY exclusion could be a security risk, but the fact of the matter is that Novell, (like MS, and even McAfee) has a list of exclusions to make the software work period, let alone work well (ie, you forget to exclude some of the .DAT files in the mcafee directory and it'll hose itself when it tries to update).  Or if you don't exclude things for MS Exchange, your performance goes in the toilet.

           

          The ZPM stuff is fingerprinted, so you should be okay there (ie, they'd have to tamper with the files from MS in order for those to get infected), and the rest of the ZCM bundles you make yourself, so unless you suspect that your Office 2007/2010 DVD from MS is tainted, there's little risk, IMO.

          1 of 1 people found this helpful
          • 2. Re: Novell ZCM exclusions
            Katalyst

            Thanks for your response and assisting with my paranoia.

             

            I still don't know if i will be able to allow myself to exclude %SystemRoot%\system32\secedit.exe, %SystemRoot%\system32\winlogon.exe & %SystemRoot%\system32\wuauclt.exe though.

             

            Maybe i will see how it goes without those excluded first...

            • 3. Re: Novell ZCM exclusions
              kjhurni

              I don't think the secedit.exe is really necessary (at least I don't exclude it) but then again, I'm not pushing any GPO for security settings either.

               

              I don't recall excluding winlogon.exe (although I think this is already included in a lot of pre-built stuff that McAfee has in there--for example, the access protection shows this as being allowed to adjust McAfee settings and things already).

               

              I DID exclude the wuauclt.exe since it's used by the ZPM process for scanning the system.  Otherwise, your CPU utilization goes through the roof when the DAU runs.

               

              What I did for the wuaclt.exe though, was put it in my "low risk" processes for the On-Access Scanning.

               

              I'll have to look at the TID again (I see they recently updated it) and see what they're wording is.  I don't think you necessarily have to let it have free reign, but possibly just designate "these things scan these certain directories, so don't do the On-Access Scanning).

              1 of 1 people found this helpful
              • 4. Re: Novell ZCM exclusions
                Katalyst

                I think i have confused myself completely trying to implement the exclusions (potentially reading too much into it).

                 

                Adding the exclusions for the file types is fine through the Policy exclusions, but i'm unsure on the exclusion requests for the activity of the zenworks processes such as %ZENWORKS_HOME%\bin\analyze.exe

                 

                 

                I'm learning about the configuration of low and high risk processes as part of implementing my new policies and thought you could do it through there. There seem to be a couple issues i perceive with doing this:

                - I have configured my settings for low risk to scan on write (which I would like to keep), so the activity on write would still be scanned

                - Putting processes into the "low-risk" appears to only allow the name of the process, not the location from where it was spawned. I assume that this means I would effectively have to exclude any process named "analyze.exe"

                 

                Hope this makes sense.

                • 5. Re: Novell ZCM exclusions
                  kjhurni

                  Novell's TID is a little generic, but that's mainly due to how the different AV vendors do their exclusions.

                   

                  So this is what I did:

                   

                  The first part (exclude activity of the following exe's:)

                  Those exe's I put into the "low risk process".  Yes, it's just the name, but I think not all AV vendors do things this way, so that's why Novell puts the path to the file in there.  Now, in MY case, I have those set to not do read/write but that's just us.  To be honest, it's a mixed back.  analyze.exe, cabarc.exe, mcescan.exe, for example are VERY heavy on the "read" process.  So is colw32.exe (although it does write a little bit as well).  Whereas zenUserDaemon (and all the zen*.exe) are heavy on BOTH Read/writes.

                   

                  Then there's the "exclude following files from being scanned" section.

                  In EPO, I put those directories into the "low risk process" EXCLUSIONS tab (which in my case probably doesn't make any difference).  In your case, it may help on the read/write situation.

                   

                  Although I just excluded the entire \cache directory (just like we also exclude the \msocache that Office 2007/2010 uses or else installs take like 40 minutes).

                   

                  I hope this helps.

                  • 6. Re: Novell ZCM exclusions
                    Katalyst

                    Thanks so much for all your assistance.

                     

                    I have put in the exclusions and am in the process of testing. So far so good.