This content has been marked as final. Show 3 replies
by adding the process name into a low risk policy group, you are making that process adhere to the low risk policy,but you will also need to add an exclusion, so you example you might add
backupclient.exe to the process list, and add d:\backupfolder\temp\ in the exclusion list and tick on read/on write
so what you are saying in effect is that "when process a.exe reads/writes to folder c:\excludedpath\ it will be excluded from scanning, but any other process not in the low risk policy will have its reads and writes scanned when writing to the same folder.
i suggest you have good reason for adding exclusions, since they introduce a security risk, and also make the excluded folders as specific as possible where necessary
Is there a good reference for High/Low Risk configuration?
More directly how do you accurately test an High/Low exclusion rule? I don't believe the "eicar_com.txt" test file is effective as it simply tests the high risk explorer.exe process(?).
Lotus Domino for example requires exclusions, but the folder I want to exclude has several file types accessed by various Lotus processes at varying, often random times.
I normally use high-risk / low-risk for situation where you have specific applications that you don't want (or need) to scan. It's standard practice for us to edit the default policy and configure so that VSE uses high-risk / low-risk (versus a single default).
For our customer base it tends to be the backup software application that gets the exclusion. The reasoning is that by turning off the scan during backup and restore you're able to pick up a lot of performance. The risk of turning off the scan is relatively low because if a virus is physically transferred from the disk to the tape it's never executed so you're safe. The same holds true for a restore. After a restore if a user clicks on a file the on-access scanner will pick it up and you're safe.
One way to look at the problem is that each exclusion you make (file, folder, drive, wildcard, process, etc) opens up a 'hole'. If you were to exclude an entire folder then someone in the know could drop in their malware and run it without problem. Thus it's best to minimize the size of the hole by being as specific as possible about what you're excluding. I commonly find whole directory exclusions that should have been written as directory + wildcard (\datadir\*.dat).