3 Replies Latest reply on Dec 7, 2007 2:08 PM by Grafis

    On-Access Processes Policies

      Hello all

      I would like to exclude some processes from virus scanning using epo4.

      How do I go about this?

      Under the On-Access Default Processes Policies I've selected 'Configure different scanning policies for high-risk, low-risk, and default processes' and then put the processes I want to exclude in the On-Access Low-Risk Processes Policies.

      Is this enough to completely exclude these processes from scanning or do I need to configure the low-risk policy further?

      Regards
        • 1. RE: On-Access Processes Policies
          by adding the process name into a low risk policy group, you are making that process adhere to the low risk policy,but you will also need to add an exclusion, so you example you might add

          backupclient.exe to the process list, and add d:\backupfolder\temp\ in the exclusion list and tick on read/on write

          so what you are saying in effect is that "when process a.exe reads/writes to folder c:\excludedpath\ it will be excluded from scanning, but any other process not in the low risk policy will have its reads and writes scanned when writing to the same folder.

          i suggest you have good reason for adding exclusions, since they introduce a security risk, and also make the excluded folders as specific as possible where necessary
          • 2. RE: On-Access Processes Policies
            Is there a good reference for High/Low Risk configuration?

            More directly how do you accurately test an High/Low exclusion rule? I don't believe the "eicar_com.txt" test file is effective as it simply tests the high risk explorer.exe process(?).

            Lotus Domino for example requires exclusions, but the folder I want to exclude has several file types accessed by various Lotus processes at varying, often random times.
            • 3. Strategy
              mdyer
              I normally use high-risk / low-risk for situation where you have specific applications that you don't want (or need) to scan. It's standard practice for us to edit the default policy and configure so that VSE uses high-risk / low-risk (versus a single default).

              For our customer base it tends to be the backup software application that gets the exclusion. The reasoning is that by turning off the scan during backup and restore you're able to pick up a lot of performance. The risk of turning off the scan is relatively low because if a virus is physically transferred from the disk to the tape it's never executed so you're safe. The same holds true for a restore. After a restore if a user clicks on a file the on-access scanner will pick it up and you're safe.

              One way to look at the problem is that each exclusion you make (file, folder, drive, wildcard, process, etc) opens up a 'hole'. If you were to exclude an entire folder then someone in the know could drop in their malware and run it without problem. Thus it's best to minimize the size of the hole by being as specific as possible about what you're excluding. I commonly find whole directory exclusions that should have been written as directory + wildcard (\datadir\*.dat).