4 Replies Latest reply on Jun 4, 2014 10:36 AM by sanders_78

    McAfee Move agentless UNC path exclusion

    sanders_78

      Dear Community,

       

      I would like to highlight a strange behavior on this platform. first some info's:

      ESX 5.1

      McAfee move agentless 3.0.0

       

      I'm trying to exclude a UNC path scan for regular user.The problem does not appear for local administrator of the server trying to reach the remote share

      Server1 is the fileserver (win2k8R2, share RW for everyone)

      Server2 is the TS server from where I'm reaching the Server1 share (win2K12)

       

      User1 is administrator on Server2 and has full right on the Server1 shares

      User2 is a regular user without specific right on Server2 but with full right on Server1 shares

       

      When I'm logged on the Server2 with User1, browsing Server1 shares is fast, no issue.

      When I try the same share browsing with User2 I get the annoying green progress bar in the Windows Explore when accessing the share, preventing any actions for more than 15 sec.

      (https://www.google.be/search?q=explorer+green+progress+bar&source=lnms&tbm=isch& sa=X&ei=zCmPU83MBKGJ0AWLnIDYDQ&sqi=2&ved=0CAYQ_AUoAQ&biw=1320&bih=755#facrc=_&im gdii=_&imgrc=igWOwV6IwmuZJM%253A%3BGtb5bVi_-qVAoM%3Bhttp%253A%252F%252Fthewindow sclub.thewindowsclubco.netdna-cdn.com%252Fwp-content%252Fuploads%252F2010%252F01 %252Fexplorer-progress-bar-400x87.png%253F0479ea%3Bhttp%253A%252F%252Fwww.thewin dowsclub.com%252Foptimize-make-windows-7-folders-display-contents-faster%3B400%3 B87)

       

      the behavior persists whatever I do except...if I unload the vshield from Server1 (the dile server) with "fltmc unload vsepflt". No unload is necessary on the Server2.

      such a way I get instant access to the SMB share with both type of users

       

      QUESTION:

      I would like to exclude this unc path and all subfolders from the scan policy. In the exclusion of Move agentless 3 in ePO I tried:

      **\Server1\share\                 (and subfolders)

      \\Server1\share\                   (and subfolders)

      H:\shares                            (drive letter on the Server1)

       

      No change. Any idea to get rif of this situation?

        • 1. Re: McAfee Move agentless UNC path exclusion
          dsabulsky

          Exclusions (OAS and ODS) examples for MOVE Agentless 3.0

           

          VMware Endpoint Driver attempts to enforce some scan policy items at the VM itself, these include path exclusions, file extensions to be scanned and whether OAS is enabled or disabled.  However due to limitations in the way the VMware Endpoint Driver is implemented, some exclusions (e.g. Path Exclusions, File Extension Inclusions) will not work on the client and must be addressed at the SVA.  Because of this limitation of the  VMware Endpoint Driver we cannot rely on it and must enforce these settings at the SVA therefore the more exclusions and file type inclusions the more work required by the SVA.

           

          Wild card exclusions for file exclusions:

           

          Wildcards may be used in most strings in order to match multiple files with a single exclusion.

           

          PLEASE NOTE:  The following wildcards are supported, however, environment variables and UNC paths are not supported.

           

          • Valid wildcards are question mark (?) for excluding single characters and asterisk (*) for excluding multiple characters.

           

          • Wildcards can appear in front of back slashes (\) in a path. For example, “C:\ABC\*\XYZ” matches “C:\ABC\DEF\XYZ”.

           

          • An exclusion containing question mark (?) characters applies if the number of characters matches the length of the file or folder name. For example, the exclusion “W??” excludes “WWW”, but does not exclude “WW” or “WWWW”.

           

          • The syntax is extended to include a double asterisk (**), which means zero or more of any characters including backslash. This allows multiple-depth exclusions. For example, “C:\ABC\**\XYZ” matches “C:\ABC\DEF\XYZ” and “C:\ABC\DEF\DEF\XYZ”, etc.

           

           

          Also, please review the MOVE AntiVirus 3.0 Product Guide Product Documentation ID:  PD24625  see page(s) 21

          • 2. Re: McAfee Move agentless UNC path exclusion
            sanders_78

            Dear dsabulsky,

             

            Thanks for your reply. I read the documentation already and it doesn't point me to the right direction so far, but I agree I miss maybe something.

            I guess there is 2 options here:

            1/ exclude the folder on Server1: as most of file has the same extension (let's say XXX to be generic), should the below line work or not?

            h:\Server1_folder\**\*.XXX 

            This is not the share name but well the real folder name on the fileserver Server1. I try so to exclude for this folder and subfolders the file type XXX

            So far it's not working

             

            2/ Exclude a UNC path: the example I put in my original post don't work

            • 3. Re: McAfee Move agentless UNC path exclusion
              dsabulsky

              The best way to test any anti-virus exclusion is to use the EICAR test sample.    Start with a simple exclusion syntax, and then start working on the final solution.

               

              example:

               

              Step 1.  Just create a simple exclusion for : c:\myfolder\     or   <logical drive letter>:\<folder name>\

               

              Step 2. Put the EICAR test sample in to the excluded folder, it should not get detected.

              • 4. Re: McAfee Move agentless UNC path exclusion
                sanders_78

                Hi dsabulsky

                 

                I do this test all the time to confirm the security of the solution, however here I've a easiest way: the speed to access concerned path. The difference is so big you cannot miss it. In the meanwhile I made testing:

                1/ h:\Server1_folder\**\*.XXX  doesn't seems to work, to many wildcard or not well written

                This solution is however the one I would like to: the most reduced scope  with a folder set (and sub *) and file extension

                 

                2/ just for the test I tried only with file type and no pat exclusion: *.XXX is not reducing network share browsing speed

                 

                So far only path exclusion seems to work, annoying cause the security is not assumed anymore

                Can someone help me writing a folder path with wildcard and file type exclusion? the point 2/ means maybe the definitive solution is somewhere else