Is it being blocked via HIPS or VSE? Once you figure that out, you can create the needed exception/exclusion for HIPS or VSE and then it will work.
Logs for HIPS: C:\ProgramData\McAfee\Host Intrusion Prevention
Logs for VSE: C:\ProgramData\McAfee\DesktopProtection
HIPS is not in use so there is no folder related to that.
For VSE, the folder contains five log file:
So none of these fives files are specifying that any kind of virus related issues but if I go in on-access scan statistics, i can see it has been blocked. SO I know that VSE is blocking it.
What should be the next step for me?
have a nice day!
Cool, you got it narrowed down so now all you need to do is create the exception for it to prevent OAS from blocking it.
Within ePO, go to Menu > Policy > Policy Catalog
Then dropdown the Product for VirusScan Enterprise 8.8.0
From here you need to find the policy that is applied to the machines system tree node. This depends on how you have OAS setup also; whether your using one default processes policy, or if your categorizing them into high/low/default and using multiple policies. Figure out which one you are using.
Then from there, just open the policy, click the "exclusions" tab, change the "setting for" for either a workstation or server, and then drop the Combofix directory or file into that location.
Wake up the agents to get the new policy and test.
vse.png 25.1 K
I found the information. Thank you fitch. There is one that is intriguing me.
here is the box to add a new exclusion. I took a look at the other exceptions and they point to a certain type of files (.pst in that case) or a specific folder. How can I specify a single file called Combofix.exe?
I've logged in my virtual machine that does not have any antivirus so i was able to download combofix. I copied the file on the server and woof! he was removed on the server by a question of seconds. I wanted to start it to see if the antivirus would accept it after the download but better luck next time for me!
How can I create an exclusion for a single file?
So to create a exclusion for a single file, combofix.exe, just do this syntax:
That basically says exclude Combofix.exe from any directory that it is found within.
Save the policy, wake up your agent and make it get the new policy, then test and see if it is no longer blocked.
change your artemis to minimum sense.
You just need to change the Artemis level within your VSE policy.
Go to Menu > Policy > Policy Catalog > VSE 8.8 > On-Acess General Policies
Find the policy that is being applied to the machines, open it.
Change the Artemis level to Low and see if it works, otherwise try it at very low or disabled for the time being.
artemis.png 24.5 K