1 2 Previous Next 10 Replies Latest reply on Oct 4, 2012 8:11 AM by alexn

    Can you have too many exclusions?

    dmease729

      Hi,

       

      After reading the section that states "These exclusions work, but can have a negative impact on performance" from KB50998, it got me thinking - can too many exclusions, contrary to increasing performance, actually decrease performance?  If so, how many would we be looking at?  If there is a small number of multi-depth exclusions or exclusions using regex, can this cause performance issues? 

       

      I am not looking for a concrete 'yes, X exclusions would be bad', but just confirmation of the theory, and also a *very rough* idea of how many we would be talking about.  Given the specific example in the above KB, it has made me a little paranoid!  If somebody comes back to advise that we could safely configure over 300 exclusions, including multidepth etc, then fine - but just looking for opinion and or rough ideas.

       

      cheers,

        • 1. Re: Can you have too many exclusions?
          alexn

          My openion about this we can add as many exclusions as we want but exclusions are always security wholes , its like you are opening a whole into your system or network and asking VSE to watch it plz., be ware sometime it can miss a disguise processSo too much exclusions are not  suggested..

           

          Message was edited by: alexn on 10/1/12 1:48:08 PM CDT
          • 2. Re: Can you have too many exclusions?
            dmease729

            I have to say I agree with the holes - even best practise recommendations cover themselves by advising that the risk needs to be weighed up.   I would also agree on the number of exclusions given todays technology, however the mentioned phrase did leave me wondering.  For McAfee to specifically advise that it could impact performance tickled my curiosity... 

            • 4. Re: Can you have too many exclusions?
              mrandolp

              Good morning, excluding process under Access Protection policies, there is a limit to the number of letters and spaces User-Defined Rules of 2500.  I receive the information from Platinum support.  If you are concerned copy and paste the process you have added into a word document and then do a count.  If you are concerned with exclusions added to On Access Default Processes, Yes the more you add can open a hole.  If you are concerned with applications, I would suggest getting with the vendor and asking for a document listing the the files and folders they recommend for exclusion.  I work for a very large Health system, and I make it a requirement that the application support primary contact the vendor for the information,  If they do not know what to ask for, I will contact the vendor and ask the question myself.  Hope this helps.

               

              Have a good day.

              Mike

              • 5. Re: Can you have too many exclusions?
                petersimmons

                If you have to ask this question then the answer is that you absolutely have WAY too many exclusions. From years of seeing customers' ePO servers I know that 90% are simply not needed -- or worse. Please consider the use of the McAfee Profiler tool to see what VSE is actually touching.

                 

                And don't just ask a software vendor what exclusions are needed. Of course, they will give you their entire product. But if the product isn't database (or like it in terms of IO) or a compiler then it very likely doesn't need an exclusion. If you just ask app vendors then you get zillions of worthless exclusions. All this does is make your policy no longer understandable by humans but it creates a lot of holes for infections to spread.

                • 6. Re: Can you have too many exclusions?
                  mrandolp

                  I disagree, I have spoken with several vendors in the past and they have not said to exclude their entire product.  Most vendors will work with you to exclude the appropriate files, etc.  Yes some vendors will want you to exclude the entire product, but if you work with them they will give you the one's that really need to be excluded.  I work with a lot of vendor's SE.  SE's know the product, and are more likely to work with you.  Also if a vendor ask you to exclude their product, then it is up to you to make them understand, what can happen.  They also need to know they assume full responsibility for their app if it gets infected.  If you keep VSE, dats etc updated, this will minimize the risk.  And yes there are the ones out there in the wild that do not have dats for them yet, that why we rely on you.  I have over 7000 workstations and over 1400 servers, and have had very few outbreaks over the past 14 years.  One of the best ways to keep infections down, is to educate your people.  Take the time to educate, it goes a long way.

                   

                  Thank you,

                  • 7. Re: Can you have too many exclusions?

                    This is an actual example for the record, I think this conversation begs one.

                     

                    This is recommended for Novell Zenworks 10 and 11 Document ID 7007545

                     

                    Recommended ZCM Anti-Virus Exclusions

                     

                    Situation

                     

                    The ZCM logon process can involve significant HDD I/O.

                     

                    Anti-Virus scanning of all of this activity can sometimes significantly slow down computers during the logon process.

                    It can also cause hangs during install or system update.

                     

                    Resolution

                     

                    Please Exclude Activity of the Following ZENworks EXEs:

                     

                    %ZENWORKS_HOME%\bin\analyze.exe
                    %ZENWORKS_HOME%\bin\cabarc32.exe
                    %ZENWORKS_HOME%\bin\colw32.exe

                    %ZENWORKS_HOME%\bin\mcescan.exe
                    %ZENWORKS_HOME%\bin\nalwin.exe

                    %ZENWORKS_HOME%\bin\remediate.exe

                    %ZENWORKS_HOME%\bin\zenNotifyIcon.exe
                    %ZENWORKS_HOME%\bin\zenUserDaemon.exe
                    %ZENWORKS_HOME%\bin\zenWindowsDaemon.exe
                    %ZENWORKS_HOME%\bin\zenWorksWindowsService.exe
                    %ZENWORKS_HOME%\bin\Handlers\RMENF.exe

                    %ZENWORKS_HOME%\esm\zesservice.exe

                    %ZENWORKS_HOME%\esm\zesuser.exe

                    %ZENWORKS_HOME%\esm\zescommand.exe

                    %ZENWORKS_HOME%\zpm\analyze.exe (This file does exist in two folders.)

                    %ZENWORKS_HOME%\zpm\cabarc.exe (This file does exist in two folders.)  
                    %ZENWORKS_HOME%\zpm\mcescan.exe (This file does exist in two folders.)

                    %ZENWORKS_HOME%\zpm\remediate.exe (This file does exist in two folders.)

                    %SystemRoot%\system32\secedit.exe (Used for GPO Processing)

                    %SystemRoot%\system32\winlogon.exe (Used for GPO Processing)

                    %SystemRoot%\system32\wuauclt.exe

                    C:\WINDOWS\TEMP\{D6C5BB8D-8A3A-495F-8252-DF4E0731209B}\InstallHelper.exe (ideally this EXE anywhere it launches from if that is possible)

                     

                    Please exclude the following files from being scanned:
                    %ZENWORKS_HOME%\cache\zmd\*.appstate
                    %ZENWORKS_HOME%\cache\zmd\zencache\metadata\objinfo.db
                    %ZENWORKS_HOME%\cache\zmd\zencache\metadata\fileinfo.db

                    %ZENWORKS_HOME%\esm\*.*
                    %ZENWORKS_HOME%\work\status\mdstatus.db
                    %ZENWORKS_HOME%\logs\*.logs 
                    (Include SubDirectories)
                    %SystemRoot%\system32\GroupPolicy\adm\*.adm

                    %SystemRoot%\system32\GroupPolicy\machine\*.pol

                    %SystemRoot%\system32\GroupPolicy\user\*.pol

                    %WINSYSDIR%\drivers\{4bb8218c-aebf-4113-882f-b10ae15c8218}

                    C:\WINDOWS\TEMP\{D6C5BB8D-8A3A-495F-8252-DF4E0731209B}

                    C:\Documents And Settings\All Users\Application Data\Novell\ZES - (winXP and win2k3 only)
                    C:\ProgramData\Novell\ZES - (Vista, Win7, Win2k8, newer)

                    If the anti-virus/anti-spyware/Internet Security software being used supports the exclusion of registry keys, then exclude the following:
                    HKLM\SYSTEM\CurrentControlSet\ services\ zesservice
                    HKLM\SYSTEM\CurrentControlSet\ services\ zesuser
                    HKLM\SYSTEM\CurrentControlSet\ services\ zestdi
                    HKLM\SYSTEM\CurrentControlSet\ services\ zesdac
                    HKLM\SYSTEM\CurrentControlSet\ services\ zesdt
                    HKLM\SYSTEM\CurrentControlSet\ services\ zesds
                    HKLM\SYSTEM\CurrentControlSet\ services\ zesdisk
                    HKLM\SYSTEM\CurrentControlSet\ services\ zesocc

                    HKLM\SYSTEM\CurrentControlSet\services\zesfw (Vista, Win7, Win2k8, newer)
                    HKLM\SYSTEM\CurrentControlSet\services\zeswifi (Vista, Win7, Win2k8, newer)
                    HKLM\SYSTEM\CurrentControlSet\services\zesndisim (winXP and win2k3 only)

                    HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE1031 8}
                    HKLM\ SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}
                    HKLM\ SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}
                    HKLM\ SYSTEM\CurrentControlSet\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}

                     

                    Note:  Each Anti-Virus package has different options that can be configured and different syntax used for exclusions.

                    Please be sure to review the documentation for the Anti-Virus package in use for the proper method and syntax.

                     
                    • 8. Re: Can you have too many exclusions?
                      erase*.*

                      I can confirm Mike's post.  I didn't know what the exact number was but we bumped into the Access Protection - User Defined Rules limitation in my previous environment and had to get creative with wildcards to reduce the characters used & not open a giant hole in the process.  As far as on demand/on access exclusions, i've always tried to keep it to a minimum and usually only adopt ones that testing proves are worthwhile.

                      • 9. Re: Can you have too many exclusions?
                        mrandolp

                        Good morning, below is information I received from a vendor for their recommend antivirus exclusions.  This is just part of the document, and shows what you will get when working with vendors.  Yes it is for another AV product, but it is up to you to do the testing.

                         

                        Overview

                        The recommendations in this document are specific to the Enterprise Express family of servers and client workstations. These recommendations are based on a combination of: QA testing results, customer feedback and observed system performance in various environments with average system production loads. The recommendations are for the products referenced and are based on specific antivirus software vendor products. The network, files, folders and extension exclusions relate to "real time file system scanning" configurations. As noted, these exclusion recommendations are either required or strongly recommended in the interest of maintaining correct performance of server and client applications.

                        General

                        The Enterprise Express family of products has been tested and presently ships with Symantec's Antivirus solution. Versions 10.x (currently shipping), 8.x and 7.x corporate editions are the currently approved versions supported. Later versions of the Symantec solution will undergo QA testing as these vendor products are upgraded.

                        Other vendor's and brands of antivirus products have not been QA tested with Enterprise Express. Nuance does not generally prohibit the use of non-Nuance tested antivirus solutions; however the customer must determine suitability of these solutions and maintain accountability for Enterprise Express system reliability and performance. Regardless of the antivirus solution selected, basic common sense configuration and usage considerations will apply to all implementation scenarios.

                        The exclusion recommendations in this document are considered critical to preserving system performance. Any customer provided antivirus solution, must provide the capability to configure files, file extensions and folder exclusions.

                        Recommendations that apply to all products

                        Recommended file extension exclusions (for real-time scans):

                        *.wav
                        *.vox
                        *.tcl
                        *.dee
                        *.ofl
                        *.ofc
                        *.dat
                        *.mdf
                        *.ldf
                        *.aud (EXV versions 4 and 5 only)

                        If EXSpeech Build 8 is in use ? Recommended file extension exclusions (for real-time scans) on the EXVoice Data Server:

                        *.ast
                        *.asw
                        *.asr
                        *.bd
                        *.nvc

                        *.voc

                        *.clm

                        *.csv

                        *.spl

                        *.cpp
                        *.svc
                        *.txt
                        *.wav
                        *.usr

                        *.sig

                        *.bak

                        *.log
                        *.ini
                        *.lst

                        *.temp

                        Voice [SQL database] Data Server - RISI specific (if RISI is implemented):

                        Recommended folder exclusions (for real-time scans):

                        C:\VoiceNet\DIS_Interface
                        C:\VoiceNet\RIS_Interface
                        C:\VoiceNet\RISI_Clients
                        C:\VoiceNet\RISI_Trace

                        EEV2MIS gateway server (if MISlink is implemented):

                        Thanks Mike

                        1 2 Previous Next