The short version:
1. It seems that managed Mac clients are only partially honoring exclusions.
a. Eicar test files placed in excluded directories are being ignored, as expected.
b. Files in excluded directories are still being scanned on access, which is not as expected.
2. Unmanaged Mac clients appear to be honoring exclusions correctly.
The long version:
My MacBook Pro is affectionately referred to by my colleagues as the "Wind Tunnel" because its fans are constantly going at high speed. And its fans are constantly going at high speed because my managed ESET client is constantly scanning files in directories that have supposedly been explicitly excluded from scanning.
A good example is Backblaze's working directory. Since Backblaze is constantly updating its indexes, logs, etc, there's always a lot of churn going on, so I've explicitly excluded Backblaze's working directory…
/Library/Backblaze.bzpkg/*.*
…via policy (as specified in numerous Knowledgebase articles). And I can tell the exclusion is working (at least in part) because when I place a copy of the Eicar test file in the /Library/Backblaze.bzpkg/ folder (or one of its sub-folders), the ESET client ignores it.
But the moment a Backblaze backup kicks off, my managed ESET client starts scanning every file that is accessed in Backblaze's supposedly-excluded working directory, pegging the CPU, and causing the fans on my MacBook Pro to start screaming.
Here's a screenshot that shows both the exclusion in the client, as well as the client completely ignoring that exclusion:
The same is true of Time Machine backups, as well. Even though I've gone to great lengths to exclude every possible permutation of Time Machine path and volume name, ESET starts churning through every accessed file in those supposedly excluded directories/volumes the moment a Time Machine backup starts.
I've only seen this behavior with managed clients. If I install a standalone version of the exact same client with the exact same exclusions, the exclusions work as expected. Even with Backblaze and Time Machine backups happening simultaneously, files in those excluded directories never show up in the scanned objects stream and my fans hum along quietly.
But the moment I connect the ESET client to a Remote Administrator server, the scanned objects stream becomes a raging torrent of files in directories that it should be ignoring, and my fans kick into overdrive.
I've tried adding/removing policies, creating new policies from scratch, and applying those policies at different levels in the group hierarchy. I've tried uninstalling and reinstalling the client multiple times, as well as going from managed to unmanaged and back again. I've also tried different syntax permutations for the exclusions (including two wildcard symbols (*.*), one wildcard symbol (*), and no wildcard symbol at the end of the path), but the problem remains.
Any ideas? I'm out of them…