8 Replies Latest reply: Feb 10, 2012 5:13 AM by dmease729 RSS

    Are folder exclusions recursive?

    dmease729

      Hi,

       

      Quick questions off the back of KB50998:

       

      1) If I exclude c:\dir1\dir2\ does that exclude every file in that directory only, or everything in subdirectories recursively? ie:

           - c:\dir1\dir2\hello.txt     is excluded

           - c:\dir1\dir2\dir3\helloagain.txt     excluded?

       

      2) If it *isnt* recursive, is the correct syntax to make it recursive c:\dir1\dir2\** or c:\dir1\dir2\**\ (i would go with former at a guess)

       

      3) If it *is* recursive, what would be the best way to exclude everything *except* a given directory, if directory names under the configured excluded directory are subject to change, ie:

           - I want to exclude everything under c:\dir1\dir2\ *except* c:\dir1\dir2\dangerdir\

           - Subdirectory names can be random and are unknown at exception configuration time, so a folder called c:\dir1\dir2\thisisrandom2746\ could be created, and I do not want to scan this folder, and folders like this.

       

      I have a feeling that 1 is 'yes', so question 3 holds, but just thought I would run a quick sanity check! 

       

      cheers,

        • 1. Re: Are folder exclusions recursive?
          Attila Polinger

          Hello,

           

          If I exclude c:\dir1\dir2\ does that exclude every file in that directory only, or everything in subdirectories recursively? ie:

               - c:\dir1\dir2\hello.txt     is excluded

               - c:\dir1\dir2\dir3\helloagain.txt     excluded?

          in my opinion: fc:\dir1\dir2\ exludes all files in this folder but not any subfolders unless you ticked the "Exclude subfolders" option, or maybe, specified the string to exclude as "C:\dir1\dir2\**\" (without specifying the "Exclude subfolders" option).

           

          The ** in this example "should" mean also the subfolder root pointer and any subfolder underneath.

           

          Attila

          • 2. Re: Are folder exclusions recursive?
            dmease729

            Hi,

             

            I actually knew that - my fault for juggling a few projects at once, my brain isnt working!

             

            Have you any ideas on my number 3) above, ie I select 'also exclude subfolders' but I want to then exclude a subfolder from that exclusion, if you get what I mean?  To be perfectly honest, this isnt a requirement for me at the moment, its just something I have thought of :-)

            • 3. Re: Are folder exclusions recursive?
              Attila Polinger

              Hi,

               

              that is not easy: I think you need to account of any fixed folder names in the exclusion as well as files and specify the entire exclusion as a set of combination of these, like this:

               

              c:\dir1\dir2\ with no Exclude subfolders

              c:\dir1\dir2\stablefolder1\ with exclude subfolders if needed or with a **\ suffix

              c:\dir1\dir2\stablefolder2\ with exclude subfolders if needed or with a **\ suffix

              etc.

               

              I've had just an identical situation in the case of a SCCM exclusion need where luckily we had just a few stable folder (along with several changing ones) names which was not very hard to explicitly specify. To my knowledge there is not a simple way of telling to not exclude a given subfolder once you've excluded everything around it. Or you could use wildcards if the changing names show some pattern.

               

              Maybe you could use low and high risk processes and specify exclusion.

               

              If there are files with patterns in their extension or names under the changing folder names, then using high risk processes, specify the process that creates them and add them to the files to scan in a separate OAS policy for this high risk process, while you exclude the folders in the normal or low risk OAS policy.

               

              Attila

              • 4. Re: Are folder exclusions recursive?
                dmease729

                Good suggestions!  Problem with using the different processes is that in order to scan folders/files on the premise that any process could read/write to a file maliciously that may otherwise have been excluded, the 'excluded exclusion' would need to go in the default processes exclusions (or not, as is the case here!).  If it were added to high-risk (or even low-risk) then it would only be scanned if a specific process in this policy carried out a read or write on it.  Saying that, most of the high risk processes are likely to be known, so I may be overcomplicating things here.  This is fun! :-D

                • 5. Re: Are folder exclusions recursive?
                  Attila Polinger

                  The whole scenario will be blown when Visuscan is presented with file paths such as Device\Harddisk1\etc. You then need to start over .

                  • 6. Re: Are folder exclusions recursive?
                    dmease729

                    I usually test with EICAR and check the on-access logs - with the physical/logical side of things, I think its always one or the other, and doesnt change?  If that is not the case, Im gonna start doubling the size of my exclusion lists!!! ;-)

                    • 7. Re: Are folder exclusions recursive?
                      Attila Polinger

                      Just before doing so, pls review these:

                       

                      KB61143 KB61000 and KB67648

                       

                      Attila

                      • 8. Re: Are folder exclusions recursive?
                        dmease729

                        KB61143: "The On-Access Scanner will use exclusions by drive letter or device name" - confirms my above question.  There should be no wierd situations on a protected hosts where sometimes you use one and sometimes you use the other!
                        KB61000: Already have, but it does have a good note on WinObj (I havent used yet, but will take it as read that it shows the mappings!)
                        KB67648: I test this way already :-)  Good articles though!