1 2 Previous Next 10 Replies Latest reply on Jul 13, 2016 5:37 PM by dvarnell

    On-Access Scan Exclusion

    vecon

      Hello,

       

      I am using McAfee 8.8

      For On-Access Scan Properties -> All Processes -> Exclusions tab -> I put in two directories (full path) and  checked mark "Also exclude subfolders" option for each path (when to exclude: on read and write).  No file type nor file age is selected.

      However, when I looked at the OnAccessScan Logs, i still find files that it caught is from one of those directories that I excluded.

       

      Did i miss anything?  With my settings, it should not scan those 2 directories at all and everything below them right?

        • 1. Re: On-Access Scan Exclusion
          Peter M

          Moved from Community Help to Business > VirusScan Enterprise for better support

          ---

          Peter

          Moderator

          • 2. Re: On-Access Scan Exclusion
            ja2013

            Hello Vecon, It would help if you could provide your entered syntax such as : C:\sampledir or C:\sampledir\ or C:\sampledir\*.* or **\sampledir\. Then give us an idea or paste part of your filtered log so we can see what you thought it shouldn't scan.

             

            Thanks

            • 3. Re: On-Access Scan Exclusion
              falaendor

              Are you able to check the client interface to ensure that it has received the policy?

              • 4. Re: On-Access Scan Exclusion
                avinash34

                Hello,

                 

                Configure different scanning policies for high-risk, low-risk, and default processes . Then add file exclusions in high risk , low risk and default processes.

                 

                Thanks.

                • 5. Re: On-Access Scan Exclusion
                  vecon

                  ja2013 wrote:

                   

                  Hello Vecon, It would help if you could provide your entered syntax such as : C:\sampledir or C:\sampledir\ or C:\sampledir\*.* or **\sampledir\. Then give us an idea or paste part of your filtered log so we can see what you thought it shouldn't scan.

                   

                  Thanks

                   

                  Hi Ja2013,

                   

                  I have defined as follow in the exclusion:
                  F:\Opened\              exclude subfolders = yes/checked

                  G:\Closed\               exclude subfolders = yes/checked

                   

                   

                  This is one line from the OnAccessScan log:

                   

                  7/5/2016 9:00:54 PM Will be deleted after the next reboot (Clean failed because the detection isn't cleanable) Server1\BackupExecAcct C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe \Device\HarddiskVolumeShadowCopy21\Closed\NoRecord\6390A677-8222-45AA-9633-5C614B5310AA EICAR test file (Test)

                  • 6. Re: On-Access Scan Exclusion
                    vecon

                    falaendor wrote:

                     

                    Are you able to check the client interface to ensure that it has received the policy?

                    Hi Falaendor,

                     

                    Which client interface do you mean? I have access to the server where the McAfee is installed.  The McAfee is on its own, not connected to any other server like a central manager.

                    • 7. Re: On-Access Scan Exclusion
                      ja2013

                      Thanks for the reply.

                       

                      McAfee KnowledgeBase - VirusScan Enterprise exclusions for Symantec Backup Exec - Is a relatively new article that advises on Backup Exec. Like most backup solutions, you will be advised by the vendor to exclude their recommendations from the OAS using Low Risk. The performance gain is pretty good too, it is worth the entry if your enterprise understands what they are allowing. The low risk allows you to place the executable on the list so it is NOT scanned in memory, by virtue of no scanning on read or write for the process. You would also declare supporting file path files as part of the do not scan.

                       

                      In essence the beremote.exe is being scanned and is fine but the process is what your looking to remedy here.  That is what Avinash Dasari was trying to point out below. If you revisit the low risk approach you will fix this issue.

                       

                      Here is an updated article that gets you closer to understanding the confusion around on-access default processes, low risk and high risk.

                       

                      McAfee KnowledgeBase - Understanding High-Risk, Low-Risk, and Default processes configuration and usage

                       

                      Jay

                      • 8. Re: On-Access Scan Exclusion
                        rmetzger

                        Hi Vecon,

                        vecon wrote:

                         

                        I have defined as follow in the exclusion:
                        F:\Opened\              exclude subfolders = yes/checked

                        G:\Closed\               exclude subfolders = yes/checked

                         

                        This is one line from the OnAccessScan log:

                         

                        7/5/2016 9:00:54 PM Will be deleted after the next reboot (Clean failed because the detection isn't cleanable) Server1\BackupExecAcct C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe \Device\HarddiskVolumeShadowCopy21\Closed\NoRecord\6390A677-8222-45AA-9633-5C614B5310AA EICAR test file (Test)

                        Based on your logs,

                         

                        C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe is the process that should be placed in the Low-Risk Process.

                        \Device\HarddiskVolumeShadowCopy21\Closed\ is the Exclusion you need to make if you decide to Not use High/Low-Risk Processes.

                         

                        Excluding G:\Closed does not exclude by \Device\ name or more commonly known as Mount Points.

                        see McAfee KnowledgeBase - How to exclude SAN and NAS mount points in VirusScan Enterprise 8.x

                        and McAfee KnowledgeBase - How to use wildcards when creating exclusions in VirusScan Enterprise 8.x or MOVE AV Multi-Platfo…

                         

                        I strongly suggest using Jay's (ja2013) recommended use of High/Low-Risk Process Policies for Symantec Backup Exec. High/Low Risk Processes is a much better way to limit exclusions and security exposures, giving better performance to trusted processes and still maintain full security when other non-trusted processes attempt access to that exclusion.

                        Exclude \HarddiskVolumeShadowCopy21\Closed\ with Sub-folders for the beremote.exe process placed in the Low-Risk Process policy.

                         

                        Any other process, such as Explorer.exe would detect EICAR test file (Test), but be ignored when accessed by beremote.exe.

                         

                        Follow the recommendations in:

                        McAfee KnowledgeBase - VirusScan Enterprise exclusions for Symantec Backup Exec

                        for the all other processes listed in the Knowledge Base article, then add your additional exclusions as your logs demonstrate.

                         

                        Hopefully this helps.

                        Ron Metzger

                        • 9. Re: On-Access Scan Exclusion
                          falaendor

                          Sory I was referring to the client which the OnAccess scan is running on.  Is it a workstation/laptop or a server.

                          1 2 Previous Next