9 Replies Latest reply: Jul 24, 2014 10:23 AM by rmetzger RSS

    Low Risk / Hight risk

    mac_load

      Dear all

       

      From several days, McAfee has been deployed on our compagny. All Corporate application are installed under c:\Applications. Before, with old antivirus system, the application was started after few seconds. Now, we must wait few minutes.

       

      I saw, I can configure VSE to use Hight/low process My question is : what is the better solution :

       

      1/ Configure On access Process with just add process of our Corporate application as low porcess without directory excluding (c:\Application)  and with Write/Read/Opened for backup configured

      2 / Add Corporate application process as low process without directory excluding (c:\Application) and Wirite/Read/Opened for backup not configured

      3/ Add Corpodate application process as low process with excludinfg directory (C:\Application) AND whith Write\Read\Opened for backup not configured

       

      Many tank's for your help

       

      Regards

        • 1. Re: Low Risk / Hight risk
          llamamecomoquieras

          Hi there,

           

          My advise would be to set the proces as a Low risk and leave writing, reading as tick, Open for backup you can leave it ticked or unticked as the files will be scanned when moving across.

           

          If you have problem identifying the process that yo need to set as a low risk, then process monitor is your best friend

           

          Best regards,

          • 2. Re: Low Risk / Hight risk
            mac_load

            thank you. and is it necessary to add the directory on exluding directory or it's not necessary, just add process as a low risk is enough ?

            • 3. Re: Low Risk / Hight risk
              llamamecomoquieras

              The process should be more than enough. We try to exclude the less possible :)

               

              Another tip, if your application uses jar, zip... untick scan archives ;)

               

              Best regards,

              • 4. Re: Low Risk / Hight risk
                ansarias

                Re: Low Risk / Hight risk

                thank you. and is it necessary to add the directory on exluding directory or it's not necessary, just add process as a low risk is enough ?

                 

                Directory is necessary to add into exclusion other wise McAfee will scan that directory. If you have complete process list and directory than add into low risk as McAfee defined Low Risk for application related exclusion.

                 

                Another best option for scanning, remove file on read and opened for back from General policies and select only for Write.

                • 5. Re: Low Risk / Hight risk
                  llamamecomoquieras

                  Hi Ansarias,

                   

                  I disagre a little bit with that. He should try to add only teh process under the low risk and if the issue persist then go for the exclusons as you said under the low risk of course.

                   

                  Cheers,

                   

                  José María

                  • 6. Re: Low Risk / Hight risk
                    ansarias

                    Hi,

                     

                    Well I'll suggest to use only default and uncheck Low and High Risk, and add process in default exclusion list.......

                    • 7. Re: Low Risk / Hight risk
                      mac_load

                      so if I understand, uncheck the scaning mode for read access (and check for write and backup) in default rule ploicies is not a good solution (for securirty reason ?)

                      • 8. Re: Low Risk / Hight risk
                        ansarias

                        Nope, you can go ahead and uncheck for read action as again it will not affect the PC.

                         

                        Message was edited by: ansarias on 24/7/14 6:53:09 PM IST
                        • 9. Re: Low Risk / Hight risk
                          rmetzger

                          Hi mac_load,

                          mac_load wrote:

                           

                          so if I understand, uncheck the scaning mode for read access (and check for write and backup) in default rule ploicies is not a good solution (for securirty reason ?)

                          Absolutely.

                           

                          Never Uncheck Scan on Read Access. It should not even be an option anymore. Without Scan on Read Access, you might as well not have AV running.

                           

                          Unchecking read access, 10 years ago, helped performance, but since malware, suchas Conficker has been released in the wild, you must maintain scanning on read access. (It turns out that a program/malware can be downloaded (scan on write, right?) to the hard drive and executed before the Scan on Write is done. Scan on Read catches this and stops the execution as expected.)

                           

                          So, try to Leave Checked 'Scan on Read' if you possibly can.

                           

                          Configure High/Low Risk Processes and define your Corporate application as Low Risk Process. Keep checked Scan on Read/Write. Whether you want 'Opened for backup' is optional. Likewise uncheck Scan Archives as they should get scanned on extraction as long as Scan on Read and Write is checked. Also, you may want to define whether ScriptScan is active on your Corporate apps as well under the Low Risk Processes.

                           

                          Just because you can place your Corporate apps in the Low Risk Processes, doesn't mean that they cannot be co-opted by malware from other sources. Remember to periodically (weekly?) do an On-Demand Scan of these files to reduce the likelyhood of the looser On-Access (low risk) policies missing something.

                           

                          Using High/Low Risk Processes is designed to provide better security/better performance (respectively) compared to the defaults, giving greater administrator control. But with that greater control means greater administrator responsibility.

                           

                          Finally, Exclusions (from scanning) should not be done if at all possible; should be rare; and only done if you can directly show a need where High/Low Risk Processes will not work.

                           

                          Check the Best Practices Guides to read further. Also, WWarren has written some excellent forum discussions on this topic.

                           

                          Good luck.

                          Ron Metzger