If I exclude c:\dir1\dir2\ does that exclude every file in that directory only, or everything in subdirectories recursively? ie:
- c:\dir1\dir2\hello.txt is excluded
- c:\dir1\dir2\dir3\helloagain.txt excluded?
in my opinion: fc:\dir1\dir2\ exludes all files in this folder but not any subfolders unless you ticked the "Exclude subfolders" option, or maybe, specified the string to exclude as "C:\dir1\dir2\**\" (without specifying the "Exclude subfolders" option).
The ** in this example "should" mean also the subfolder root pointer and any subfolder underneath.
I actually knew that - my fault for juggling a few projects at once, my brain isnt working!
Have you any ideas on my number 3) above, ie I select 'also exclude subfolders' but I want to then exclude a subfolder from that exclusion, if you get what I mean? To be perfectly honest, this isnt a requirement for me at the moment, its just something I have thought of :-)
that is not easy: I think you need to account of any fixed folder names in the exclusion as well as files and specify the entire exclusion as a set of combination of these, like this:
c:\dir1\dir2\ with no Exclude subfolders
c:\dir1\dir2\stablefolder1\ with exclude subfolders if needed or with a **\ suffix
c:\dir1\dir2\stablefolder2\ with exclude subfolders if needed or with a **\ suffix
I've had just an identical situation in the case of a SCCM exclusion need where luckily we had just a few stable folder (along with several changing ones) names which was not very hard to explicitly specify. To my knowledge there is not a simple way of telling to not exclude a given subfolder once you've excluded everything around it. Or you could use wildcards if the changing names show some pattern.
Maybe you could use low and high risk processes and specify exclusion.
If there are files with patterns in their extension or names under the changing folder names, then using high risk processes, specify the process that creates them and add them to the files to scan in a separate OAS policy for this high risk process, while you exclude the folders in the normal or low risk OAS policy.
Good suggestions! Problem with using the different processes is that in order to scan folders/files on the premise that any process could read/write to a file maliciously that may otherwise have been excluded, the 'excluded exclusion' would need to go in the default processes exclusions (or not, as is the case here!). If it were added to high-risk (or even low-risk) then it would only be scanned if a specific process in this policy carried out a read or write on it. Saying that, most of the high risk processes are likely to be known, so I may be overcomplicating things here. This is fun! :-D
KB61143: "The On-Access Scanner will use exclusions by drive letter or device name" - confirms my above question. There should be no wierd situations on a protected hosts where sometimes you use one and sometimes you use the other!
KB61000: Already have, but it does have a good note on WinObj (I havent used yet, but will take it as read that it shows the mappings!)
KB67648: I test this way already :-) Good articles though!