8 Replies Latest reply on Feb 8, 2014 7:30 PM by ajha1

    unable to change On-Demand Scan exclusions

    rgivens

      I'm new to McAfee.  We have McAfee EPO 4.6 with the clients being VSE 8.8 scan engine 5600.1067.  There is a On-Demand policy assigned to servers.  I'd like to add some exclusions to an individual machine not throught the EPO policy that is assigned to numerous machines.  I open up the VirusScan Console on the machine and go to properties of the On-Demain task.  Every option to configure the On-Demand Scan is greyed out, specifically the Exclusions.  I'd like to add a couple of custom exclusions to this machine not globally through the EPO policy.  How do I do that since it's greyed out?  When I look at the policy in the EPO console the exclusions in the policy are not set to Overwrite client exclusions.

       

      One other quick question in regards to exclusions.  Why aren't the On-Access Scanner exclusions the same as the On-Demand exclusions?  I don't want to have to configure exclusions multiple times per machine.  So I have a machine that needs a custom exclusion.  I'm not going to include it in an EPO policy as it just applies to this machine.  I set it in the On-Access Scanner fine then I go into the On-Demand EPO policy and the settings are greyed out.  Shouldn't you be able to set exclusions on a machine in one spot?

        • 1. Re: unable to change On-Demand Scan exclusions
          carlsbl1

          On Access and On Demand are two entirely different functions.  One runs all the time looking for suspicious activity and files and the other is a scheduled function, like a weekly scan.  They have two different sets of policies.   You will likely find yourself setting more On Access policies than On Demand policies. 

           

          Greyed out issue, likely the default built in policy can't be edited and maybe that's the one you're editing? I can't remember the name now. Try either copying the policy to a different name and editing and applying that or maybe there is a MyDefault policy that is installed by ePO you can edit.

          • 2. Re: unable to change On-Demand Scan exclusions
            rgivens

            so I created a new policy that is a copy of the existing policy and assigned it to the machine.  I updated the policies on the machine from the epo console, the machine got the policy, and the settings are all greyed out just like the previous policy.  How do you setup one-off type exclusions for on-demand scans if it doesn't allow you to set exclusions from a client?

             

            Thanks for the help.

            • 3. Re: unable to change On-Demand Scan exclusions
              carlsbl1

              On a managed client, all settings are usually managed from the ePO server. You apply a policy to a system or a group that contains the system.

              • 4. Re: unable to change On-Demand Scan exclusions
                Laszlo G

                Hi rgivens, if you haven't checked the option to show managed tasks under virusscan console then you are trying to modify a default task and not the one you want.

                 

                Can you please post a screenshot of what you see? (screens with the greyed options)

                • 5. Re: unable to change On-Demand Scan exclusions
                  joeleisenlipz

                  I would always recommend that you manage all policies through ePO (that is the purpose afterall), but I suppose there are a few things to point out.

                   

                  • The items within the VSE console may be greyed-out because of the Display Options within the General policy.
                  • On-Access policies include an option whether to overwrite client exclusions right under the list of exclusions. If you really don't want a record of these exclusions, this could be an option for you.
                  • I typically recommend that items that are excluded from OAS by path/pattern/filename are specifically NOT excluded from ODS scanning. Even if you need to setup a special scan with a goofy schedule, nothing should ever be completely exempt from scanning.
                  • I prefer OAS exclusions based on process name, hands-down. It makes policy cleaner, and is much more effective.

                   

                  Message was edited by: joeleisenlipz on 2/7/14 9:57:21 AM EST
                  • 6. Re: unable to change On-Demand Scan exclusions
                    rgivens

                    Here is the McAfee official response which is lame I have to say - EPO Managed OnDemandScan Task cannot be modified on the local VSE console as it is managed by ePO server. 

                     

                     

                    It's kind of shocking to me coming from using Symantec Endpoint Protection for 9 years.  What I wanted to do was setup an OnDemandScan task that applies to all machines with some of the general exclusions you want excluded from all machines.  Then I wanted to go into each machine that needed a specific exclusion and add it there of which you can do in Symantec.  Apparently, I have to create dozens of OnDemandScan Tasks and break everything out so I can assign the tasks to the appropriate machines.  Additionally, OnAccess and OnDemand have seperate exclusions so I have to manage those seperately also.  It seems very inefficient.

                    • 7. Re: unable to change On-Demand Scan exclusions
                      rothman

                      rgivens wrote:

                       

                      Then I wanted to go into each machine that needed a specific exclusion and add it there of which you can do in Symantec.  Apparently, I have to create dozens of OnDemandScan Tasks and break everything out so I can assign the tasks to the appropriate machines.  Additionally, OnAccess and OnDemand have seperate exclusions so I have to manage those seperately also.  It seems very inefficient.

                       

                      This is exactly the point of a centrally managed system.  It is very similar to Windows group policy in that if you change the local group policy on a machine, it is only temporary and will be changed to whatever the group policy is set to at its parent.

                      • 8. Re: unable to change On-Demand Scan exclusions

                        Hi Rigvens.

                         

                        Hope you are doing Great.

                         

                        Before i start:

                        On Access Scan, is Real Time Scan happening the machine, Every Read, Write and Execute (I/O Operation) is scanned by the VSE OnAccessScanner.

                         

                        On Demand Scan, is complete Scan of all the files on the machine, sometime some malicious files sits on the machine do not perform I/O Operation and hides on the machine HDD, On Demand Scan performs a scan on the complete machine and cleans/deletes such files.

                         

                         

                        Please follow answered to your Questions :

                         

                        i. I'd like to add some exclusions to an individual machine not throught the EPO policy that is assigned to numerous machines.  I open up the VirusScan Console on the machine and go to properties of the On-Demain task.  Every option to configure the On-Demand Scan is greyed out, specifically the Exclusions.  I'd like to add a couple of custom exclusions to this machine not globally through the EPO policy.  How do I do that since it's greyed out?  When I look at the policy in the EPO console the exclusions in the policy are not set to Overwrite client exclusions.

                         

                        Ans. If you like to add specific Exclusion on the OnDemandScan happening on a particulat machine, then Login to ePO Console, Go to Menu- Policy - Client Task Catalog.

                         

                        Create a New OnDemandScan, Name it "TestScan" (For instance), then open the "TestScan" OnDemandScan and Click on Exclusion Tab and add whatever Exclusion you want to Add.

                         

                        Now, Go to System Tree, and Select the Machine, you want to add the Custom OnDemandScan Client Task you have jut created, and Go to Action - Agent - Modify Client Task for a Single System, New Assignment, Select VirusScan Enterprise - On Demand Scan - Select the "TestScan" Client Task from the Different Task Populated - Click Next and Schedule it, and Click on Save.

                         

                        - You Have to perform the above steps for all the machine you want specific exclusions in the OnDemandScan.

                         

                        ii. One other quick question in regards to exclusions.  Why aren't the On-Access Scanner exclusions the same as the On-Demand exclusions?  I don't want to have to configure exclusions multiple times per machine.  So I have a machine that needs a custom exclusion.  I'm not going to include it in an EPO policy as it just applies to this machine.  I set it in the On-Access Scanner fine then I go into the On-Demand EPO policy and the settings are greyed out.  Shouldn't you be able to set exclusions on a machine in one spot?

                         

                        Ans. On Access Scanner Exclusion are different from On Demand Scan Exclusion, Please check the Definition at the beggining of my Comment.

                         

                        For Applying Custom Policies,  Login to ePO Console, Go to Menu- Policy -Policy Catalog.

                         

                        Create a New Policy for the VSE On Access Policy, Name it "TestOnAccess Policy" (For instance), then open the "TestOnAccess Policy" and Click on Exclusion Tab and add whatever Exclusion you want to Add.

                         

                        Now, Go to System Tree, and Select the Machine, you want to add the Custom OnAccess Policy Client Task you have just created, and Go to Action - Agent - Modify Policy for a Single System,Select the OnAccessScan Policy and Click on Save.

                         

                        - You Have to perform the above steps for all the machine you want specific exclusions in the OnAccessScan.

                         

                        Option are grayed out on the VSE Console on the client machine, as it is lockedout from the ePO Policy.

                         

                        Please reply to the post, if you have any queries.