1 2 Previous Next 10 Replies Latest reply on Nov 20, 2014 5:03 PM by jj4sec

    How to exclude directories in Win7 %userprofile% with VSE 8.8.x?

    kjhurni

      We manage VSE 8.8.x with EPO.

       

      We just switched our email system to O365 and are using the Outlook 2013 client.  MS has a list of files and directories we need to exclude from all AV scans.

       

      Unfortunately they are all in the:

      %userprofile% directory.

       

      I was going to put these into the Exclusions in EPO, but I see McAfee KB

      https://kc.mcafee.com/corporate/index?page=content&id=KB54812

       

      says that you cannot use the variable:

      %userprofile%

      because McShield runs in system and not user space

       

      Any idea on how to use the system variable in an exclusion then?

      --Kevin

        • 1. Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?
          wwarren

          You can use pattern matching instead, i.e. via wildcard instead of variable.

          e.g.

          **\Users\*\Folder2Exclude\

          Or

          **\Documents & Settings\*\Folder2Exclude\

           

          Throw Eicar test virus into the folder to validate the exclusion is working.

          Also, consider having the exclusions made for the Low Risk profile only; and add the process that's touching this folder structure to the Low Risk profile process list.

          • 2. Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?
            kjhurni

            Thanks, I thought I saw something somewhere via Google that indicated you could use:

            c:\users\userprofile\something

             

            and that McAfee would interpret "userprofile" to be the actual user profile?

             

            Interesting that we have other software that runs as "system" in the "system" space and it has no trouble accessing the %userprofile% variables.

             

            Unfortunately the MS technet article doesn't list their processes, only the files that need to be excluded.

            http://technet.microsoft.com/en-us/library/dn769141%28v=office.15%29.aspx

             

            I couldn't find anything on the McAfee KB that had suggestions for Outlook either.  I see things for Windows SERVERS that are running Exchange, but that's different.

            • 3. Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?
              yans112

              Yes, Kjhurni. We also following the same.

               

               

              • 5. Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?
                kjhurni

                I must be doing something wrong.

                 

                I setup an exclusion in the Default Processes (although we use High/Low risk as well).

                 

                c:\Users\*\AppData\Roaming\Microsoft\Outlook\*.srs

                 

                I have verified that my VSE has the above exclusions

                 

                I then copied the eicar file (but it was named as: eicar.srs) to the above directory and it did scan it.

                 

                It was my understanding (perhaps incorrectly) that if you also used high/low risk processes, that anything NOT in high/low risk fell under the "default processes" set?

                 

                --Kevin

                • 6. Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?
                  wwarren

                  kjhurni wrote:

                  ...

                  I then copied the eicar file (but it was named as: eicar.srs) to the above directory and it did scan it.

                   

                  It was my understanding (perhaps incorrectly) that if you also used high/low risk processes, that anything NOT in high/low risk fell under the "default processes" set?

                   

                  --Kevin

                  Hi Kevin,

                   

                  When you use High/Low/Default profiles, it's critical to be mindful of "What process is touching the file". Because, that is the process we will "look up" and see what profile it's in, then apply that profile's scanning configuration to the file operation.

                  When you say you copied the eicar file, do you mean "drag and drop" into the excluded folder? Because, EXPLORER.EXE will be the process touching the file... a high risk process, thus the action will be scanned.

                  • 7. Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?
                    kjhurni

                    Thanks

                    wwarren wrote:

                     

                    kjhurni wrote:

                    ...

                    I then copied the eicar file (but it was named as: eicar.srs) to the above directory and it did scan it.

                     

                    It was my understanding (perhaps incorrectly) that if you also used high/low risk processes, that anything NOT in high/low risk fell under the "default processes" set?

                     

                    --Kevin

                    Hi Kevin,

                     

                    When you use High/Low/Default profiles, it's critical to be mindful of "What process is touching the file". Because, that is the process we will "look up" and see what profile it's in, then apply that profile's scanning configuration to the file operation.

                    When you say you copied the eicar file, do you mean "drag and drop" into the excluded folder? Because, EXPLORER.EXE will be the process touching the file... a high risk process, thus the action will be scanned.

                    Thanks for that info, I forgot that explorer.exe is in the High Risk category.

                     

                    Since MS doesn't list what processes actually use their own files that they say to exclude, and since McAfee has nothing documented either, how would I go about testing the wildcard exclusions as you had originally suggested?

                    • 8. Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?
                      wwarren

                      You could remove Explorer.exe from the High Risk profile.

                      Apply the change (wait ~30 seconds for the change to apply)

                      Do the test; e.g. Rt-Click "Properties" on the file.

                      --> No detection should occur, because Explorer.exe falls under your "Default" profile which has the exclusion.

                       

                      Undo the change by adding Explorer.exe back to high risk.

                      • 9. Re: How to exclude directories in Win7 %userprofile% with VSE 8.8.x?
                        kjhurni

                        wwarren wrote:

                         

                        You could remove Explorer.exe from the High Risk profile.

                        Apply the change (wait ~30 seconds for the change to apply)

                        Do the test; e.g. Rt-Click "Properties" on the file.

                        --> No detection should occur, because Explorer.exe falls under your "Default" profile which has the exclusion.

                         

                        Undo the change by adding Explorer.exe back to high risk.

                         

                        Thanks, that worked.  Just an FYI in case anyone else is following, we are *still* waiting for Microsoft to tell us what processes use those files for Outlook (yeah, we could use process explorer or whatever to figure it out, but since we're paying MS millions of dollars for O365, I'm going to make them do their work instead of me doing their work for them).

                        1 2 Previous Next