9 Replies Latest reply: Aug 1, 2013 4:40 AM by wayneb RSS

    Low-Risk\High Risk Processes Policies - what to specify

    wayneb

      All

       

      I've inherited some policies for my servers, but they all appear to use On-Access Default Processes Policies with lots of generic exclusions no matter what the server type. I know we should be creating Low risk\High risk policiesbut wondered if anyone had an recommendations for specific files or processes that should be assigned to low and high and also the typical exclusions used for these.

       

      eg: my backup server policy in low risk i have the backup\restore processes in my low-risk policy and word.exe,outlook.exe etc in my high risk policy, any other suggestiosn of what have you all used .

       

      many Thanks

        • 1. Re: Low-Risk\High Risk Processes Policies - what to specify
          Hayton

          This was posted in the Consumer products VirusScan section, but most of the references I found for this topic were in either VirusScan Enterprise or ePO - mostly ePO, so I've moved the question into ePO in the Business section.

          • 2. Re: Low-Risk\High Risk Processes Policies - what to specify
            jenkinski

            The first place to check is the McAfee Virusscan best practices guide. It has recommended exclusions.

             

            https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 22000/PD22940/en_US/vse_880_best_practices_guide.pdf

             

            As for additional recommendations, I'd say if you can let the systems run with *no* exclusions. Then use process monitor when mcshield is going off the charts. Use that to find out what processes are causing a performance hit. Then exclude those processes only in the low risk section.

             

            You can also look at the processes and their i/o read/write statistics. Those with really high reads or writes may need to be looked at.

             

            -KJ

            • 3. Re: Low-Risk\High Risk Processes Policies - what to specify
              wayneb

              Thanks

               

              I created a new policy and set up the exclsuions as recommended by our Backup provider in the On-Access Default Processes Policies and applied them,i also have the Low_Risk/High Risk set up but not applied, I assume cos it's a new policy i won't necessarily see an improvment in backup timescales until it's second run as the first has to bulld up a list of files and exclussions?

               

              Also, If i have all 3 :

               

              Default

              Low-Risk

              High Risk

               

              and set exclusions in the Default, do i have to set the same exclusions in the Low-Risk ?

               

              Message was edited by: wayneb on 17/03/13 04:46:20 CDT
              • 4. Re: Low-Risk\High Risk Processes Policies - what to specify
                jenkinski

                Basically your backup exclusions need to be in the low-risk policy not the default. Typically your default policies is the 'catch all' it should have very little or no exclusions. All your exclusions are typically going to be in the low risk section.

                 

                As for what to exclude on a backup process is touchy. Whether it's correct or not, when a process is identified as 'low risk' many times we decrease the things scanned for example only scanning on write (or read depending on your needs), not scanning zip files etc.

                 

                -KJ

                • 5. Re: Low-Risk\High Risk Processes Policies - what to specify
                  wayneb

                  Ok, Thanks, so let me just clarify

                   

                  I currently have only the On-Access Default Processes Policies applied to our backups servers with all the exlclusions added for all the fodler/subfolders I want excluded for example *:\*Program Files\CommVault\Simpana\ 

                   

                  The above folder and subfolder is excluded along with other recommended windows folders etc. So what your saying is I should take those exclusions out of the Default Policy and put them in the Low-Risk Policy as Exclusions and apply that policy also. ? then specify the .exe files eg; backup.exe , restore.exe in the Low-Risk Processes ?. I assume I can also uncheck 'When Reading from disk' and 'On Network Drives' and just leave 'Writing to disk' Checked. What about 'Opened for backup'? there seems to be conflicting info on this option.

                   

                  Initailly i'm applying these just to our backup servers not any others eg; SQL, DCs etc..

                   

                  I will then create policies for other ssrver types as they all seem to have the same Default one applied only.

                   

                  Thanks

                   

                  Message was edited by: wayneb on 19/03/13 03:45:13 CDT

                   

                  Message was edited by: wayneb on 19/03/13 03:45:42 CDT
                  • 6. Re: Low-Risk\High Risk Processes Policies - what to specify
                    Attila Polinger

                    Hi,

                     

                    I gather that files opened by backup programs might need not be scanned at all in the Low-Risk policy*. I think backup usually writes the files somewhere to a peripheral or a network device, rather than locally so leaving "Writing to Disk" checked might be redundant.

                     

                    For the files that gets backed up regularly, the default policy (the one that applies generally when processes other than that of the backup, accessess those files) apply anyway.

                     

                    "Files Opened for backup" might be relevant when used in the policy not meant to exclude the files when they are getting backed up (i.e. as opposed to in the Low Risk policy). I think this means that when the Archive bit of the file properties is cleared by the backup software and the file is opened, no scanning is needed (when used in the default policy).

                     

                    *This implies that all the files are generally scanned everytime when they are modified, consequently backup software won't work with infected files, hence the loss of need to scan them again.

                     

                    Attila

                    • 7. Re: Low-Risk\High Risk Processes Policies - what to specify
                      wayneb

                      Hi Attila

                       

                      I'm still slightly confused as there are so many varying opinions on default/High/Low risk policies. So let me get this straight from what i understand.

                       

                      I've just created a new Policy for my SQL servers and the vendors have stated to exclude folders

                       

                      eg; C:\Program Files\MyFolder and everything under it.

                       

                      At the moment under On-Access Default Processes Policies it's set to Configure one scanning policy for all processes. and i've added the Folder to the Exclusions tab under What not to Scan and ticked Also Exclude Subfolders

                       

                      So this will now exclude that folder and everything under it even .EXE files from being scanned right?

                       

                      Or, if i select Configure different scanning policies for high-risk, low-risk, and default processes,  under the new SQL policy what will that do ? I assume i'd have to create the same namesd policy for High and Low risk ? Would the Default policy even work if i set high/low risk processes and exclusions? and do i have to add the same exclusion to all 3?

                       

                      Ultimatley what i want to do is reduce performaance issues, like exlcude sqlserver.exe

                       

                      hope this makes sense

                      • 8. Re: Low-Risk\High Risk Processes Policies - what to specify
                        Attila Polinger

                        Hi Wayneb,

                         

                        I've just created a new Policy for my SQL servers and the vendors have stated to exclude folders

                         

                        eg; C:\Program Files\MyFolder and everything under it.

                         

                        At the moment under On-Access Default Processes Policies it's set to Configure one scanning policy for all processes. and i've added the Folder to the Exclusions tab under What not to Scan and ticked Also Exclude Subfolders

                         

                        So this will now exclude that folder and everything under it even .EXE files from being scanned right?

                         

                        Yes, this exclusion means that no files that are created, opened, written, etc. would be scanned in this folder and any of the subfolders, no matter what process owns those files.

                        This also means that a share hopping worm could also write its files under this folder and any subfolders underneath (provided it has the right to do so).

                        However, if you specified this folder exclusion in the Low Risk policy section and you also specified the necessary process names in the Low Risk policy (sqlsrvr.exe for example), that would mean that only those files would not be scanned in this folder that are owned by this process (any any sub process), but any other file that are owned by a different process (not sqlsrvr.exe) would be scanned in this folder.

                         

                        Would the Default policy even work if i set high/low risk processes and exclusions? and do i have to add the same exclusion to all 3?

                         

                        All three kinds of policies apply always and you could specify, of course, albeit accidentally, redundant exclusions, where you would exclude FILE.TXT in the Default and also in the Low Risk section, thsi means that Low Risk exclusion for FILE.TXT would be redundant but technically ok.

                         

                        A sidenote: I often see exclusion to .EXEs in the Exclusion section of any policy. I think this is a improperly interpreted move for "process exclusions" (vendors of such processes are also to blame fo the confusion), because these EXEs should rather be in the process list of the Low/High Risk policies (so please put sqlsrvr.exe on this list and not on the Exclusion list).

                         

                        Or, if i select Configure different scanning policies for high-risk, low-risk, and default processes, under the new SQL policy what will that do ?

                        This will do that the Default policy will apply always and the Low Risk (High Risk) policy will apply when a file is accessed that is owned by any process that is listed in the Low /High Risk policy.

                         

                        Attila

                        • 9. Re: Low-Risk\High Risk Processes Policies - what to specify
                          wayneb

                          Hi

                           

                          So let me see if I've got this:

                           

                          So I could have the folder C:\Program Files\MyFolder excluded in the On-Access Low-Risk Processes Policies exclusions tab and not in the On-Access Default Processes Policies exclusions ?,  and then have the .EXE eg; SQLSERVER.EXE in the Low Risk Processes list ?

                           

                          So in essence it would be like below.

                           

                          On-Access Low-Risk Processes Policies, Would have my .EXEs ie; SQlserver.exe and on the exclusions tab it would just have the folder path C:\Program Files\MyFolder ?

                          mcafee.PNG

                          I then don't have an exclusion for the folder in the On-Access Default Processes Policies or can I leave it in both and if so, if sqlserver.exe existed in the folder would it ignore the Low risk where set above and exclude it from scanning because it's in the exclusions list on the defuakt policy?

                           

                          So basically your saying .EXE's should never be used in Exclusions tab but only in the Low/High risk processes list, but if they are in the exclusions will they still be ignored, but .txt and other files are ok to leave in the On-Access Default Processes Policies exclusions list ?

                           

                          Thanks

                           

                          Message was edited by: wayneb on 01/08/13 04:40:15 CDT