I have jus inherited an ePO server with a totally new set of VSE 8.8 exclusions.
Firstly there are over 300 exclusion set within the policy ranging from files types, paths to single exe's. Is there a limit with VSE 8.8 ?
There is no low and high risk, just On-Access Default Process policies.
Rather then use Low and HIgh risk they have just added the exe in the file path on the On-Access Default Process policies. For example, SQLSERVR.exe.
Does this have any effect as an exclusion? I would be under the impression that if you want to excluse this process you need to add it to the low risk section. Adding it without a path in front means VirusScan will not be able to find it and if it coudl how woudl it be excluded? When it's opened?
Well, this was my impression until I saw this in the VSE 8.8 Best practise guide .... By putting Frameworkservice.exe here what is that achieving ? Should this be in the process section?
Adding it without a path in front means VirusScan will not be able to find it and if it coudl how woudl it be excluded?
Exclusions can be specified with bare filenames (full or with joker characters), relative or absolute paths (full or using joker chars, see relevant KB articles). That is, you example seems to be a totally normal specification.
I would be under the impression that if you want to excluse this process you need to add it to the low risk section
If you exactly know how and which files or folders you would like to exclude, you can safely use the Default policy. Low Risk policy is useful for excluding files that certain processes access often (read or write, etc.) of which you are certain that do not introduce viruses in these files.
In addition there could be files with similar extensions or names that maybe accessed by other processes and low risk processes, so these files might appear on one exclusion list in the Low Risk process policy, but do not appear on the exclusion list of the Default Risk process policy.
By putting Frameworkservice.exe here what is that achieving ? Should this be in the process section?
In my opinion the FrameworkService.exe as file on the exclusion list in the picture could be a mistake, this .EXE should never be normally accessed very frequently not to mention modified at all (except maybe when agent version upgrade). This should rather be in the process section.
This picture may not be very precise as there are 3 file exclusions with a "Exclude subfolders" as Yes on each line.