5 Replies Latest reply on Jun 14, 2013 7:25 AM by Attila Polinger

    Exchange 2010 Low Risk/High Rish Processes Policies VSE 8.x

    wayneb

      I'm still no entirely ok with Low/Default/High Processes Policies. i've looked at lots of Mcafee dcos, but none explain clearly enugh, in leymans terms.

       

      So, My scenario :

       

      I've currently got the On-Access Default Processes Policy setup that Excludes lots of Microsoft Recommended Folders i.e;  %ExchangeInstallPath%\TransportRoles\Data\SenderReputation

       

      BUT i see they also recommend Process Exclusions i.e; cdb.exe, MSExchangeFDS.exe etc...

       

      Where do i place these proceses, under Low-Risk Procceses ? and if so what about the exclusions tab and what do i tick/untick under Scan Items ?

       

      Thanks all

        • 1. Re: Exchange 2010 Low Risk/High Rish Processes Policies VSE 8.x
          Attila Polinger

          Hello,

           

          we speak of scanning of files accessed or created by processes. If you don't care which process accesses or creates a file, you use the Default process section. If you care, you use the Low or high Risk Process section.

           

          When setting exclusions from scanning, you may also ignore which process accesses or creates a file, so you set the exclusions in the Default Processes section. When you want to exclude files from scanning only in the event when one or more certain processes accesses or creates these, you can use the High Risk or the Low Risk process sections.

           

          In your example: Microsoft wants exclusions to be taken in the Low Risk section and therefore you should enter those processes as criteria in the Low Risk Proceses section. Then the appropriate file exclusions should be entered in the same section ( and removed from the Default Processes section).

           

          Which means that when a file gets modified or accessed in those folders you mention here, it is only excluded from scanning when it is accessed, etc. by  any of the processes (or child processes thereof) that you specified in the Low risk Processes section.

           

          I think Microsoft also specifies which type of scanning should not be applied on those files, but normally read and write scanning should be disabled on files frequently read / written by those processes.

           

          There is a KB article on how exclusions are interpreted if Low Risk Processes are being used: http://kb.mcafee.com/agent/index?page=content&id=KB55139

           

          Attila

          • 2. Re: Exchange 2010 Low Risk/High Rish Processes Policies VSE 8.x
            wayneb


            Hi So to clarify

             

            If I just wanted to use the Default Policy, I'd input not only the folders i mentioned but the processes also? see below?

             

            mcafee.GIF

             

            Whereas if i used the low-risk policy i'd apply the processes i.e; cdb.exe to the scan items tab? and then add the folder i.e; %ExchangeInstallPath%\TransportRoles\Data\SenderReputation under the exclusions folder?

            • 3. Re: Exchange 2010 Low Risk/High Rish Processes Policies VSE 8.x
              Attila Polinger

              You do not need to add the process name under the exclusion tab in Default/Low/High Risk section. Process name should be entered in the Processes section of Low and High Risk mode.

               

              With Low Risk or High Risk policy, the exclusions that you enter will apply only when those files are accessed by a process (or any child process thereof) that you specified under the Processes tab.

               

              In your example: enter cdb.exe under the Processes/Low Risk processes list. Then add any exclusions (files with or without path, folders) under the Exclusion tab of Low Risk processes section that you want to be excluded from OAS scanning when cdb.exe accesses them.

               

              These files or folders that you adde3d here will not be excluded if any other (except for any child process of cdb.exe) process accesses them.

               

              Attila

               

              Message was edited by: apoling on 14/06/13 09:37:18 CEST
              • 4. Re: Exchange 2010 Low Risk/High Rish Processes Policies VSE 8.x
                wayneb

                Thanks, and as far as the scanning tab under Low-risk, i assume i don't need to tick the scan on read/write boxes? and as long all all my .exe's are listed under processes tab i don't need to add exclusions as the folders are listed in my default exclusions 

                • 5. Re: Exchange 2010 Low Risk/High Rish Processes Policies VSE 8.x
                  Attila Polinger

                  The Scanning tab is another place to configure different policies for Low Risk processes. Be aware that under Scanning all the settings apply to every process that you enter on the Low Risk process list.

                   

                  as long all all my .exe's are listed under processes tab i don't need to add exclusions as the folders are listed in my default exclusions

                   

                  If you enter a process name on the Low Risk section and do not enter any exclusion in the Low Risk section then any exclusion that you enter on the Default process will be excluded no matter what process accesses that excluded file. So in this case adding that process name on the Low Risk section is superfluous.

                   

                  But if you want to exclude a folder only when a file in that folder is accessed by a low risk process but you want to scan that file if that is accessed by any other process, then you should make the exclusion of the folder in the Low Risk Processes section and make sure that it is not on the exclusion list of the Default Processes section.