1 2 Previous Next 13 Replies Latest reply on Oct 30, 2014 4:15 PM by jwood.mls

    Microsoft Exclusions

    jwood.mls

      Hello all,

      I have been in the process (for awhile now) of migrating from an old ePO server to a new one.  In the process I'm trying to make sure I have exclusions set up, etc for the best performance, particularly on my servers.  Given that different servers obviously have different roles, how do you all usually handle setting up exclusion policies?  It seems like it would be very fragmenting to make a policy for sql servers, a policy for AD servers, DHCP servers, WSUS servers, etc.  Since a server that is not a WSUS server is not likely to have the the folders that a WSUS server does, would the best way in most cases to make the exclusions apply to all servers?

       

      I'm referring to the giant Microsoft exclusion list for reference:  http://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-vi rus-exclusion-list.aspx

        • 1. Re: Microsoft Exclusions
          fitchsoccer342

          It does take a lot of time to setup VSE/IPS/FW policies, and it is really dependent on your organizations needs/requirements. On one of the networks we manage, we are hosting 500+ servers, and we have VSE/IPS/FW exclusions segregated for SQL/exchange/DC's/Lync/Remedy/etc. However, on another network, where we manage only about 300+ servers, we have the policies more integrated, ie. Workstation Focused & Server Focused. But there are different requirements driving each of those networks, which is why there is no wrong or right answer for setting up your policies like that.

           

          So if you were looking to make say VSE exclusions for all servers, just create a single On-Access Default Processes Policy and create all your exclusions in there and assign it at the necessary nodes. Within VSE however, you are able to break scanning policies into High/Low/Default process as well. See screenshot, but takes more time to setup.

           

          The same thing applies for IPS & FW rules/signatures/exclusions as VSE, just that you cannot break the policies into High/Low - basically either configure a couple policies and apply the policies to the needed nodes, or create very segregated policies - which again takes a lot of time, but then allows you to segregate - why apply a needed exclusion for an IIS server to a domain controller?

          • 2. Re: Microsoft Exclusions
            jwood.mls

            Thank you for your reply.  We have a very small number of servers (less than 50).  I guess my reply is, if you apply an exclusion, and it doesn't apply, then it doesn't necessarily hurt anything or open you up to a vulnerability either. In that way, I could just use my default policies just customized with the exclusions in the server category, or am I thinking about htat wrong?

            • 3. Re: Microsoft Exclusions
              fitchsoccer342

              For VSE, I would duplicate the default "On-Access Default Processes" policy and call it "Server Focused" or something like that. Then within that put all your exclusions for the servers if that is the route you want to go. Then assign it at the needed system tree nodes.

               

              You might have to also exclude certain processes within the Access Protection Policies policy in time as things get tripped.

              • 4. Re: Microsoft Exclusions
                jwood.mls

                I kind of had that stuff set up that way originally, but after working with support some time back, I came to the idea that the reason that there is a dropdown that selects between workstation and server is so that within your defaults you can do customization for each class, is that wrong?

                • 5. Re: Microsoft Exclusions
                  fitchsoccer342

                  It's up to you. You can do a single policy for workstations & servers and use that dropdown to delegate between the OS Platform, or create 2 seperate policies. But you are correct in your approach.

                  • 6. Re: Microsoft Exclusions
                    jwood.mls

                    Thank you, so the on-access default processes policy is where I would put the exclusions I referenced earlier?  Would this also affect on demand scans?

                    • 7. Re: Re: Microsoft Exclusions
                      fitchsoccer342

                      Yup. That is where you would put your exclusions - yes this will effect the on demand scan. See below:

                      • 8. Re: Re: Microsoft Exclusions
                        jwood.mls

                        Thanks so much, you've been very helpful!

                        • 9. Re: Re: Microsoft Exclusions
                          jwood.mls

                          Also, going off of some KB articles like this one: https://kc.mcafee.com/corporate/index?page=content&id=KB57308

                          can I safely assume than exclusions can contain variables such as %windir% ?

                          1 2 Previous Next