3 Replies Latest reply on Mar 3, 2008 8:25 AM by metalhead

    Default, Low-Risk, High-Risk Policies

      I need to make sure my line of thinking is correct.

      In my On-Access Default Policies, I define 25 directories that I want to be excluded.

      For Exchange, M$ wants MAD.EXE and STORE.EXE excluded. So I check the Use different settings for High-Risk and Low Risk Processes.

      I then add MAD.exe and Store.exe to Low Risk processes list. All other tabs, I setup just like the Default with the exception of my exclusions list. Since the exclusions are in the Default Policy, there will still be in effect on the Low-risk as well right?

      I also deleted all of the high-risk processes entries as well...Just to be safe.

      Or should I duplicate the Directory Exclusions list?

      The documentation on this isn't very good IMO. Before I call Tech-Support I want to run this by you all.

      Any thoughts on this?
        • 1. RE: Default, Low-Risk, High-Risk Policies
          Technically it works like this:

          1) a file is accessed by a process
          2) Virusscan intercepts this access and checks the process name of the process which wants to access the file
          3) if the process is listed in the high- or low-risk policy it uses the coressponding exclusion and scan settings configured in these policies
          4) if it does not find the process name (filename) in either the low- or high risk-list it uses the default policy settings

          Generally I would recommend creating a special policy for e.g. you exchange servers only only set the required exclusions for these systems via assigning the special policy.
          • 2. RE: Default, Low-Risk, High-Risk Policies
            So you are recommending that I don't worry about Low-Risk/High-Risk policies? Just setup my exclusions and go with that?
            • 3. RE: Default, Low-Risk, High-Risk Policies
              Exlusions configured with low-/high risk processes are always better as exclusion in the default policy as the apply to all of the processes not specified in the low/high risk policy. If you can determine the process it is better to use low/high risk exlusion with the corresponding process, but in case of exchange exlusions I would go with the McAfee knowledgebase article and configure general exlusions.