2 Replies Latest reply on Oct 24, 2014 8:39 AM by fitchsoccer342

    odd exclusion syntax in ePO for VSE

    becke

      Is anyone familiar with the exclusion syntax with the prefix "\:::" for ePO/VSE process exclusion? Is it documented anywhere?

      I can find no documentation anywhere on what this syntax means - it appears to function as if it references the current McAfee VSE install directory on the client.

       

      The instance of this syntax is located in our ePO installation (that I inherited) in an assigned policy at the root of the system tree of category: VirusScan Enterprise 8.8.0 : Access Protection Policies

      Within this policy and the defined access protection rules under category "Common Standard Protection" : Prevent modification of McAfee files and settings it has a bunch of executables its excluding with this odd syntax.

       

      exclusions.png

      The executables being excluded are in the VSE folder and do seem to be successfully excluded -

      EXCEPT in the case when we were updating HIPS on the clients - this caused the exclusions to fail until we restart the clients - at which point the exclusions start working again.

        • 1. Re: odd exclusion syntax in ePO for VSE
          M Bagheryan M

          I suggest you to config your HIPS on Adaptive mode for a while then see the result.

          • 2. Re: odd exclusion syntax in ePO for VSE
            fitchsoccer342

            That's odd, never seen wildcards like that before. Usually they are something like the below:

            Wildcards (**,*, ?) are helpful in creating exclusions for VSE, but certain rules apply (see examples below).

             

            •The ? wildcard is used to represent a single character in the exact position where it is placed in the path or file name.

             

            •The * wildcard is used to represent partial filenames or extensions with one or more characters from the exact position where it is placed in the path \ file given.

             

            •The ** wildcard is generally used for (partial) filenames or extensions with one or more characters from the exact position where it is placed in the path \ file given.

             

            •System Environmental Variables such as %SystemRoot% can be used in exclusions. User Environmental Variables such as %UserProfile% cannot because the On‑Access scanner runs under the Windows Local System account.

             

            We have wildcards within VSE for things like this, but never seen the ::: before

            **\*.html

            <drive:>\**\test.exe

            <drive:>\**\*.tmp