Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
423 Views 4 Replies Latest reply: Jul 30, 2013 6:10 AM by dmease729 RSS
dmease729 Champion 267 posts since
Jul 22, 2011
Currently Being Moderated

Jul 30, 2013 5:13 AM

Interpretation of recommended process exclusions

Hi,

 

When it comes to vendor documentation (and this actually includes some McAfee documentation), the recommended exclusions can sometimes be ambiguous, and the worst example of this usually revolves around process exclusions.  When a vendor recommends a process exclusion, this could mean either:

 

- (option 1) The process touches a large number of files, and you want to exempt this process full stop from scanning - any file should not be subject to on-access scanning if it is read by this process, or written to by this process.  This follows the same kind of logic as KB68701, for example, where in step 1 the processes are configured as low-risk, and the read and write options are both deselected.
- The process itself should not be scanned.  This could either mean:
      - (option 2) You configure the source exe as an excluded file.  I have seen this done, but do not believe this to be correct.  The file itself is not the process.
      - (option 3) When the process is running in memory (ie is an actual process), it should not be scanned.  To be honest, I am not even sure if this makes sense.  Could it be the case that the impact of a false positive would be too high?  Could scanning the process in memory cause the process to die in any way?  I am not an OS expert, so I genuinelly dont know.

 

Now based on much documentation, I tend to default to Option 1 above (ie essentially treating the process as 'trusted'), however a recent Citrix article that I have read (http://support.citrix.com/article/CTX124185), has the following wording:

 

"Avoid scanning these processes on the Provisioning Server: StreamService.exe, StreamProcess.exe and the soapserver.exe."

 

Now the wording of this would imply that the processes themselves should not be scanned.  If this is the case, then we would essentially be looking at the On Demand scans, and not selecting 'running processes' under 'locations to scan'.  I cannot see any way to leave this option selected but exclude specific running processes.  The exclusions tab for OD tasks I would assume applies to files and folders, and not processes.

 

Does anybody else have any thoughts on this?

 

cheers,

  • pierce Champion 401 posts since
    Feb 22, 2011
    Currently Being Moderated
    1. Jul 30, 2013 5:34 AM (in response to dmease729)
    Re: Interpretation of recommended process exclusions

    My on demand scan dosnt have any exclusions (apart from a few file extensions). As we havnt scanned process x with the OAS scanner and all the files it has created/touched we need to look to see what it has done and check nothing dodgy has got on the system!

     

    If you never scan what it does via OAS and ODS then it could get up to anything and by the time you notice its way too late to easily fix!

     

    Of course this is dependant on a time you can scan your system and not cause issues.

  • pierce Champion 401 posts since
    Feb 22, 2011
    Currently Being Moderated
    3. Jul 30, 2013 5:44 AM (in response to dmease729)
    Re: Interpretation of recommended process exclusions

    Hey, Yes I go for the list of trusted applications.Generally I base this partly on documentation and partly on whats causing the most issues :-) Sometimes you have to install the profiler and see what exactly is causing the system to have such terrible performance.

     

    OAS is for when something does something, e.g. chrome.exe downloads a file. the ODS is for 'here is my C drive, scan everything.' so I wouldnt expect it to have any process exclusions, only the folder exclusions that is has. As its just looking at everything, there is no way to see what files touched what files on a system so the process exclusion dosnt make sense in this scan. E.g. the temp folder, who saved stuff here? dosnt matter to the ODS scanner it just looks at everything.

     

    Hope that helps!

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points