I just want to be sure I did understand the working of these nice Policys.
Low Risk Policy and High risk policy
Here you are able to define different process (example.exe, example.com, example.bat) and postdefine the working directory in which the process example.xyz is allowed to work under the given configuration (like "scan on read/write" or none of of them, looking out for pups which can came up used in any job or what so ever startet by the defined process). Just for OnAcessScanning.
This is not the place to define generelly exclusions for Directorys - this policy is only good for the different setting in how to handle processes and their working directorys. Is this right?
If I define example.exe as process exclusion the process itself is beeing scanned but not the directorys I defined nor the extensions I defined in exclusions - right?
Difference low to high risk policy: You MUST mark at least one scanoption in high risk: on read or on write.
standard risk policy
Here - and ONLY here - you are able to set simple folder, extension and executable exclusion for OnAcessScanning. ("C:\Example.exe", "**\example\", "**\Example\**\Example.exe" and so on with other wildcards or LUNS or mounted Drives which are already scanned via other Agents on other systems)
I have read nearly all articles in this forum and the KB-Articles but I am puzzled about the mechanismen of how the low and high risk policy works at all. Defining only directory exclusions in low risk policy is without use (tested with EICAR), defining these exclusion only in standard risk works fine. So I am wondering in how to make good use of low and high risk policy´s. For sure Office and adobe executables have to stay put in the high risk policy (I know the names of the policys are just "names" and could have been "Policy A" and "Policy B") but when I define a process in low risk Policy and don´t define working directorys is it working properly (like a Wildcard for every folder and drive) or is it just useless?
When it is like a Wildcard (as example in high risk policy) and the executable I defined is working in a exclusion I defined in Standard risk: Will the executable scanned on read and write or does the standard risk policy overseed the high risk policy?
Can someone explain how the link between the defined process and the folder exclusion in the low/high risk policy works? Or is it completely without a link and the folder exclusion got nothing to do with the procss exclusion (and If so: What is the folder Exclusion in low/high Risk policy good for in this case)? And...how about a nice and clean paper for it @ McAfee/Intel?
My english is not as good as it should be so please feel free to ask for futher Informations if anything is not understandable.