When it comes to vendor documentation (and this actually includes some McAfee documentation), the recommended exclusions can sometimes be ambiguous, and the worst example of this usually revolves around process exclusions. When a vendor recommends a process exclusion, this could mean either:
- (option 1) The process touches a large number of files, and you want to exempt this process full stop from scanning - any file should not be subject to on-access scanning if it is read by this process, or written to by this process. This follows the same kind of logic as KB68701, for example, where in step 1 the processes are configured as low-risk, and the read and write options are both deselected.
- The process itself should not be scanned. This could either mean:
- (option 2) You configure the source exe as an excluded file. I have seen this done, but do not believe this to be correct. The file itself is not the process.
- (option 3) When the process is running in memory (ie is an actual process), it should not be scanned. To be honest, I am not even sure if this makes sense. Could it be the case that the impact of a false positive would be too high? Could scanning the process in memory cause the process to die in any way? I am not an OS expert, so I genuinelly dont know.
Now based on much documentation, I tend to default to Option 1 above (ie essentially treating the process as 'trusted'), however a recent Citrix article that I have read (http://support.citrix.com/article/CTX124185), has the following wording:
"Avoid scanning these processes on the Provisioning Server: StreamService.exe, StreamProcess.exe and the soapserver.exe."
Now the wording of this would imply that the processes themselves should not be scanned. If this is the case, then we would essentially be looking at the On Demand scans, and not selecting 'running processes' under 'locations to scan'. I cannot see any way to leave this option selected but exclude specific running processes. The exclusions tab for OD tasks I would assume applies to files and folders, and not processes.
Does anybody else have any thoughts on this?
My on demand scan dosnt have any exclusions (apart from a few file extensions). As we havnt scanned process x with the OAS scanner and all the files it has created/touched we need to look to see what it has done and check nothing dodgy has got on the system!
If you never scan what it does via OAS and ODS then it could get up to anything and by the time you notice its way too late to easily fix!
Of course this is dependant on a time you can scan your system and not cause issues.
Hi Pierce - I agree, if it is not scanned by OAS, then it should be scanned with OD, with very few exceptions. However, this does not answer my original question - which interpretation should be used when a vendor advises that a process should be excluded. Given your phrasing of "As we havnt scanned process x with the OAS scanner and all the files it has created/touched..." I would assume that you, like myself, tend to go for option 1 (for purposes of OAS, you treat it as a 'trusted' process, using similar configuration options to the McAfee KB I mentioned). What are your thoughts on the wording of the Citrix article, and also the fact that you cannot configure a specific process exclusion in the OD settings?
Hey, Yes I go for the list of trusted applications.Generally I base this partly on documentation and partly on whats causing the most issues :-) Sometimes you have to install the profiler and see what exactly is causing the system to have such terrible performance.
OAS is for when something does something, e.g. chrome.exe downloads a file. the ODS is for 'here is my C drive, scan everything.' so I wouldnt expect it to have any process exclusions, only the folder exclusions that is has. As its just looking at everything, there is no way to see what files touched what files on a system so the process exclusion dosnt make sense in this scan. E.g. the temp folder, who saved stuff here? dosnt matter to the ODS scanner it just looks at everything.
Hope that helps!
I am aware of what OAS and OD are :-) The Profiler has a number of issues, with my primary complaint is that it doesnt take notice of exclusions itself (ie if you have already configured an exclusion, and you know that it isnt contributing to performance issues, it still includes it in the Profiler report!). Given the clunky nature of Profiler aswell, I tend to go for the registry tweak to enable verbose OAS logging when it comes to performance issues.
But all that aside, the wording of the Citrix article appears to point to Option 3, which means that the only option I have is to remove 'running processes' under the OD scan settings (OD targets a lot more than just the local drives), which I do not really want to do. If there *is* an issue that can occur when AV products actually scan the running processes in question, however, then I have no option but to disable this as far as I can see - would you agree?
Other alternative is that the Citrix article is worded incorrectly, which happens far too often in vendor documentation!
Message was edited by: dmease729 on 30/07/13 06:11:28 CDT