9 Replies Latest reply on Dec 20, 2012 4:24 AM by dmease729

    Exclude Processes from Scanning

    DeanBaker
      Hi All.

      Is there a way to exclude a process from being scanned by the on access scanner? The reason I ask is because I am building a policy for our exchange servers and in the notes from Microsoft (KB823166) they mention to exclude a number of processes from scanning. Is it just a simple case of putting in the exclusions list the full path to the .exe file or is there a specific way of excluding running processes that you can edit?

      Thanks
      Dean

      Sorry all. I forgot to mention I am running virusscan enterprise 8.7 and ePO 4.0
        • 1. RE: Exclude Processes from Scanning
          jmaxwell
          No - you add the process name (as seen in taskmanager) to the Low Risk Process Policies for AV - NOTE that you need to have told the AV Policy tro use differnet settings for High/Low Risk Processes.

          The exclusion method is only for excluding files/folders ON DISK that you don't want scanned and is nothing to do with the processes that run. :)

          Jim
          • 2. RE: Exclude Processes from Scanning
            Thanks Jmaxwell, I had to do this task for something just now, your post was useful for me.
            • 3. RE: Exclude Processes from Scanning
              from vse manual:

              "On-access scan processes are configured based on the risk that you assign to each process.
              You can configure one default scanning policy for all processes or configure different policies
              based on the risk assigned to each process. Parameters include assigning risk to processes,
              defining items to scan, performing heuristic scanning, scanning compressed files, taking actions
              on detections, and scanning for potentially unwanted programs."

              So i think it is not corect that mentionted above:
              "No - you add the process name (as seen in taskmanager) to the Low Risk Process Policies for AV - NOTE that you need to have told the AV Policy tro use differnet settings for High/Low Risk Processes.
              The exclusion method is only for excluding files/folders ON DISK that you don't want scanned and is nothing to do with the processes that run."

              i think it is only defines different on-access scaning policy for low risk processes (as diferent policy for high risk proces). So stil you must have eclusions for that executable file (read or write).
              • 4. RE: Exclude Processes from Scanning


                from vse manual:

                "On-access scan processes are configured based on the risk that you assign to each process.
                You can configure one default scanning policy for all processes or configure different policies
                based on the risk assigned to each process. Parameters include assigning risk to processes,
                defining items to scan, performing heuristic scanning, scanning compressed files, taking actions
                on detections, and scanning for potentially unwanted programs."

                So i think it is not corect that mentionted by Jim.
                i think it is only defines different on-access scaning policy for low risk processes (as diferent policy for high risk proces). So stil you must have eclusions for that executable file (read or write).
                • 5. RE: Exclude Processes from Scanning


                  i think thats no quite right, low risk does not exclude process from scanning its only defines different vse on-access policy after that process is launched...you stil have to made exclusions (read or write)..and folders exclusions...
                  try read kb...
                  https://kc.mcafee.com/corporate/index?page=content&id=KB55139
                  • 6. RE: Exclude Processes from Scanning
                    jmaxwell


                    In fact defining the process on the low risk exclusions list means that once the process has been loaded all files/folders accessed by that process are excluded from scanning - so I'm not really sure what point you are trying to make.....:confused: - obviously any other files/folders you want excluded from scanning by all processes need to be added to the file/folder exclusion list....

                    Jim
                    • 7. Re: RE: Exclude Processes from Scanning
                      dmease729

                      Hi jmaxwell,

                       

                      If you define the process name in the low risk *exclusions list*, then the file itself on disk will not be scanned if read or written to by a process that is defined as a low risk process - and that is all.  This does not mean that from that point any files accessed by that process in running memory will not be scanned.

                      Depending on vendor documentation, this is one of the main points that causes confusion, alongside the other relevantly common (and esaily solvable) confusion that some vendors cause when not distinguishing between on-access/realtime and on-demand/scheduled scans.  The process *file source* on the disk is not the same as the process when in running memory - I dont believe the processes are scanned in running memory at all, and that is why that particular option (scan processes in running memory) is available in the on-demand settings.  Saying that, if you do select 'scan processes in running memory' as part of an on-demand configuration, I dont believe you can exclude specific processes here (as above, if you configure a file exclusion, this is the file itself, and *not* the process in running memory).

                       

                      Im hoping to get some time soon to write this up in more detail, as it is a common problem and misunderstanding I encounter.  Until then, I hope this helps in some way!

                       

                      cheers,

                      • 8. Re: RE: Exclude Processes from Scanning
                        jmaxwell

                        Hi - either I don't understand your post or you are misunderstanding my previous posts - the method I described is correct - at least it works properly and we have been using it for several years for many processes - such as our data backup products component processes to ensure backup performance is maintained and it definitely works

                         

                        Jim

                        • 9. Re: RE: Exclude Processes from Scanning
                          dmease729

                          "In fact defining the process on the low risk exclusions list means that once the process has been loaded all files/folders accessed by that process are excluded from scanning"

                          In this case if you have added the process to the exclusions list (in low risk), this means that the exe will not be scanned on read/write if accessed by a process in the process list in the low-risk configuration.  Files accessed by the process created from this exe may still be scanned depending on how policies are configured.

                           

                          I agree - I think I may be misunderstanding your post.  Saying that, there are a number of McAfee KB articles related to this type of question that look to be contradictory, and I think this is due to the wording used.  Going to be running some tests to see what happens with my own eyes!  Sounds like you have it sorted from you side, however - may well be the case that the misunderstanding is on my part :-)

                           

                          cheers,