When it comes to vendor documentation (and this actually includes some McAfee documentation), the recommended exclusions can sometimes be ambiguous, and the worst example of this usually revolves around process exclusions. When a vendor recommends a process exclusion, this could mean either:
- (option 1) The process touches a large number of files, and you want to exempt this process full stop from scanning - any file should not be subject to on-access scanning if it is read by this process, or written to by this process. This follows the same kind of logic as KB68701, for example, where in step 1 the processes are configured as low-risk, and the read and write options are both deselected.
- The process itself should not be scanned. This could either mean:
- (option 2) You configure the source exe as an excluded file. I have seen this done, but do not believe this to be correct. The file itself is not the process.
- (option 3) When the process is running in memory (ie is an actual process), it should not be scanned. To be honest, I am not even sure if this makes sense. Could it be the case that the impact of a false positive would be too high? Could scanning the process in memory cause the process to die in any way? I am not an OS expert, so I genuinelly dont know.
Now based on much documentation, I tend to default to Option 1 above (ie essentially treating the process as 'trusted'), however a recent Citrix article that I have read (http://support.citrix.com/article/CTX124185), has the following wording:
"Avoid scanning these processes on the Provisioning Server: StreamService.exe, StreamProcess.exe and the soapserver.exe."
Now the wording of this would imply that the processes themselves should not be scanned. If this is the case, then we would essentially be looking at the On Demand scans, and not selecting 'running processes' under 'locations to scan'. I cannot see any way to leave this option selected but exclude specific running processes. The exclusions tab for OD tasks I would assume applies to files and folders, and not processes.
Does anybody else have any thoughts on this?