1 2 Previous Next 13 Replies Latest reply on Oct 30, 2014 4:15 PM by jwood.mls

    Microsoft Exclusions


      Hello all,

      I have been in the process (for awhile now) of migrating from an old ePO server to a new one.  In the process I'm trying to make sure I have exclusions set up, etc for the best performance, particularly on my servers.  Given that different servers obviously have different roles, how do you all usually handle setting up exclusion policies?  It seems like it would be very fragmenting to make a policy for sql servers, a policy for AD servers, DHCP servers, WSUS servers, etc.  Since a server that is not a WSUS server is not likely to have the the folders that a WSUS server does, would the best way in most cases to make the exclusions apply to all servers?


      I'm referring to the giant Microsoft exclusion list for reference:  http://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-vi rus-exclusion-list.aspx

        • 1. Re: Microsoft Exclusions

          It does take a lot of time to setup VSE/IPS/FW policies, and it is really dependent on your organizations needs/requirements. On one of the networks we manage, we are hosting 500+ servers, and we have VSE/IPS/FW exclusions segregated for SQL/exchange/DC's/Lync/Remedy/etc. However, on another network, where we manage only about 300+ servers, we have the policies more integrated, ie. Workstation Focused & Server Focused. But there are different requirements driving each of those networks, which is why there is no wrong or right answer for setting up your policies like that.


          So if you were looking to make say VSE exclusions for all servers, just create a single On-Access Default Processes Policy and create all your exclusions in there and assign it at the necessary nodes. Within VSE however, you are able to break scanning policies into High/Low/Default process as well. See screenshot, but takes more time to setup.


          The same thing applies for IPS & FW rules/signatures/exclusions as VSE, just that you cannot break the policies into High/Low - basically either configure a couple policies and apply the policies to the needed nodes, or create very segregated policies - which again takes a lot of time, but then allows you to segregate - why apply a needed exclusion for an IIS server to a domain controller?

          • 2. Re: Microsoft Exclusions

            Thank you for your reply.  We have a very small number of servers (less than 50).  I guess my reply is, if you apply an exclusion, and it doesn't apply, then it doesn't necessarily hurt anything or open you up to a vulnerability either. In that way, I could just use my default policies just customized with the exclusions in the server category, or am I thinking about htat wrong?

            • 3. Re: Microsoft Exclusions

              For VSE, I would duplicate the default "On-Access Default Processes" policy and call it "Server Focused" or something like that. Then within that put all your exclusions for the servers if that is the route you want to go. Then assign it at the needed system tree nodes.


              You might have to also exclude certain processes within the Access Protection Policies policy in time as things get tripped.

              • 4. Re: Microsoft Exclusions

                I kind of had that stuff set up that way originally, but after working with support some time back, I came to the idea that the reason that there is a dropdown that selects between workstation and server is so that within your defaults you can do customization for each class, is that wrong?

                • 5. Re: Microsoft Exclusions

                  It's up to you. You can do a single policy for workstations & servers and use that dropdown to delegate between the OS Platform, or create 2 seperate policies. But you are correct in your approach.

                  • 6. Re: Microsoft Exclusions

                    Thank you, so the on-access default processes policy is where I would put the exclusions I referenced earlier?  Would this also affect on demand scans?

                    • 7. Re: Re: Microsoft Exclusions

                      Yup. That is where you would put your exclusions - yes this will effect the on demand scan. See below:

                      • 8. Re: Re: Microsoft Exclusions

                        Thanks so much, you've been very helpful!

                        • 9. Re: Re: Microsoft Exclusions

                          Also, going off of some KB articles like this one: https://kc.mcafee.com/corporate/index?page=content&id=KB57308

                          can I safely assume than exclusions can contain variables such as %windir% ?

                          1 2 Previous Next