Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
3180 Views 9 Replies Latest reply: Aug 1, 2013 4:38 AM by wayneb RSS
wayneb Newcomer 28 posts since
Mar 4, 2013
Currently Being Moderated

Mar 13, 2013 6:18 AM

Low-Risk\High Risk Processes Policies - what to specify

All

 

I've inherited some policies for my servers, but they all appear to use On-Access Default Processes Policies with lots of generic exclusions no matter what the server type. I know we should be creating Low risk\High risk policiesbut wondered if anyone had an recommendations for specific files or processes that should be assigned to low and high and also the typical exclusions used for these.

 

eg: my backup server policy in low risk i have the backup\restore processes in my low-risk policy and word.exe,outlook.exe etc in my high risk policy, any other suggestiosn of what have you all used .

 

many Thanks

  • Hayton Volunteer Moderator 4,597 posts since
    Sep 27, 2010

    This was posted in the Consumer products VirusScan section, but most of the references I found for this topic were in either VirusScan Enterprise or ePO - mostly ePO, so I've moved the question into ePO in the Business section.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • jenkinski Newcomer 27 posts since
    Mar 4, 2013

    The first place to check is the McAfee Virusscan best practices guide. It has recommended exclusions.

     

    https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 22000/PD22940/en_US/vse_880_best_practices_guide.pdf

     

    As for additional recommendations, I'd say if you can let the systems run with *no* exclusions. Then use process monitor when mcshield is going off the charts. Use that to find out what processes are causing a performance hit. Then exclude those processes only in the low risk section.

     

    You can also look at the processes and their i/o read/write statistics. Those with really high reads or writes may need to be looked at.

     

    -KJ

  • jenkinski Newcomer 27 posts since
    Mar 4, 2013

    Basically your backup exclusions need to be in the low-risk policy not the default. Typically your default policies is the 'catch all' it should have very little or no exclusions. All your exclusions are typically going to be in the low risk section.

     

    As for what to exclude on a backup process is touchy. Whether it's correct or not, when a process is identified as 'low risk' many times we decrease the things scanned for example only scanning on write (or read depending on your needs), not scanning zip files etc.

     

    -KJ

  • Attila Polinger Veteran 1,161 posts since
    Dec 8, 2009

    Hi,

     

    I gather that files opened by backup programs might need not be scanned at all in the Low-Risk policy*. I think backup usually writes the files somewhere to a peripheral or a network device, rather than locally so leaving "Writing to Disk" checked might be redundant.

     

    For the files that gets backed up regularly, the default policy (the one that applies generally when processes other than that of the backup, accessess those files) apply anyway.

     

    "Files Opened for backup" might be relevant when used in the policy not meant to exclude the files when they are getting backed up (i.e. as opposed to in the Low Risk policy). I think this means that when the Archive bit of the file properties is cleared by the backup software and the file is opened, no scanning is needed (when used in the default policy).

     

    *This implies that all the files are generally scanned everytime when they are modified, consequently backup software won't work with infected files, hence the loss of need to scan them again.

     

    Attila

  • Attila Polinger Veteran 1,161 posts since
    Dec 8, 2009

    Hi Wayneb,

     

    I've just created a new Policy for my SQL servers and the vendors have stated to exclude folders

     

    eg; C:\Program Files\MyFolder and everything under it.

     

    At the moment under On-Access Default Processes Policies it's set to Configure one scanning policy for all processes. and i've added the Folder to the Exclusions tab under What not to Scan and ticked Also Exclude Subfolders

     

    So this will now exclude that folder and everything under it even .EXE files from being scanned right?

     

    Yes, this exclusion means that no files that are created, opened, written, etc. would be scanned in this folder and any of the subfolders, no matter what process owns those files.

    This also means that a share hopping worm could also write its files under this folder and any subfolders underneath (provided it has the right to do so).

    However, if you specified this folder exclusion in the Low Risk policy section and you also specified the necessary process names in the Low Risk policy (sqlsrvr.exe for example), that would mean that only those files would not be scanned in this folder that are owned by this process (any any sub process), but any other file that are owned by a different process (not sqlsrvr.exe) would be scanned in this folder.

     

    Would the Default policy even work if i set high/low risk processes and exclusions? and do i have to add the same exclusion to all 3?

     

    All three kinds of policies apply always and you could specify, of course, albeit accidentally, redundant exclusions, where you would exclude FILE.TXT in the Default and also in the Low Risk section, thsi means that Low Risk exclusion for FILE.TXT would be redundant but technically ok.

     

    A sidenote: I often see exclusion to .EXEs in the Exclusion section of any policy. I think this is a improperly interpreted move for "process exclusions" (vendors of such processes are also to blame fo the confusion), because these EXEs should rather be in the process list of the Low/High Risk policies (so please put sqlsrvr.exe on this list and not on the Exclusion list).

     

    Or, if i select Configure different scanning policies for high-risk, low-risk, and default processes, under the new SQL policy what will that do ?

    This will do that the Default policy will apply always and the Low Risk (High Risk) policy will apply when a file is accessed that is owned by any process that is listed in the Low /High Risk policy.

     

    Attila

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points