1 of 1 people found this helpful
Yes, I've put those exclusions in and it significantly increases the ZCM performance (login times, etc.)
Technically ANY exclusion could be a security risk, but the fact of the matter is that Novell, (like MS, and even McAfee) has a list of exclusions to make the software work period, let alone work well (ie, you forget to exclude some of the .DAT files in the mcafee directory and it'll hose itself when it tries to update). Or if you don't exclude things for MS Exchange, your performance goes in the toilet.
The ZPM stuff is fingerprinted, so you should be okay there (ie, they'd have to tamper with the files from MS in order for those to get infected), and the rest of the ZCM bundles you make yourself, so unless you suspect that your Office 2007/2010 DVD from MS is tainted, there's little risk, IMO.
Thanks for your response and assisting with my paranoia.
I still don't know if i will be able to allow myself to exclude %SystemRoot%\system32\secedit.exe, %SystemRoot%\system32\winlogon.exe & %SystemRoot%\system32\wuauclt.exe though.
Maybe i will see how it goes without those excluded first...
1 of 1 people found this helpful
I don't think the secedit.exe is really necessary (at least I don't exclude it) but then again, I'm not pushing any GPO for security settings either.
I don't recall excluding winlogon.exe (although I think this is already included in a lot of pre-built stuff that McAfee has in there--for example, the access protection shows this as being allowed to adjust McAfee settings and things already).
I DID exclude the wuauclt.exe since it's used by the ZPM process for scanning the system. Otherwise, your CPU utilization goes through the roof when the DAU runs.
What I did for the wuaclt.exe though, was put it in my "low risk" processes for the On-Access Scanning.
I'll have to look at the TID again (I see they recently updated it) and see what they're wording is. I don't think you necessarily have to let it have free reign, but possibly just designate "these things scan these certain directories, so don't do the On-Access Scanning).
Adding the exclusions for the file types is fine through the Policy exclusions, but i'm unsure on the exclusion requests for the activity of the zenworks processes such as %ZENWORKS_HOME%\bin\analyze.exe
I'm learning about the configuration of low and high risk processes as part of implementing my new policies and thought you could do it through there. There seem to be a couple issues i perceive with doing this:
- I have configured my settings for low risk to scan on write (which I would like to keep), so the activity on write would still be scanned
- Putting processes into the "low-risk" appears to only allow the name of the process, not the location from where it was spawned. I assume that this means I would effectively have to exclude any process named "analyze.exe"
Hope this makes sense.
Novell's TID is a little generic, but that's mainly due to how the different AV vendors do their exclusions.
So this is what I did:
The first part (exclude activity of the following exe's:)
Those exe's I put into the "low risk process". Yes, it's just the name, but I think not all AV vendors do things this way, so that's why Novell puts the path to the file in there. Now, in MY case, I have those set to not do read/write but that's just us. To be honest, it's a mixed back. analyze.exe, cabarc.exe, mcescan.exe, for example are VERY heavy on the "read" process. So is colw32.exe (although it does write a little bit as well). Whereas zenUserDaemon (and all the zen*.exe) are heavy on BOTH Read/writes.
Then there's the "exclude following files from being scanned" section.
In EPO, I put those directories into the "low risk process" EXCLUSIONS tab (which in my case probably doesn't make any difference). In your case, it may help on the read/write situation.
Although I just excluded the entire \cache directory (just like we also exclude the \msocache that Office 2007/2010 uses or else installs take like 40 minutes).
I hope this helps.
Thanks so much for all your assistance.
I have put in the exclusions and am in the process of testing. So far so good.