Jump to content

Recommended Posts

  • ESET Insiders
Posted

Hello,

 

I have two questions regarding folder exclusions that I really have not been able to find a definitive answer for:

  1. I am almost certain of the following so I am only asking for verification. If I enter the following as an exclusion: C:\Program Files\Malwarebytes\Anti-Malware\*.* - then only the files in that folder will be excluded from scanning, not any of the sub-folders.
  2. This is the one that I am not sure about and need to know if it works or not. If I enter the following as an exclusion: C:\Program Files\Malwarebytes\Anti-Malware\* - does this exclude the folder and all of the sub-folders within from scanning?

Any definitive answers concerning these two issues would be greatly appreciated.

Thanks in advance for your help...

  • Most Valued Members
Posted

I excluded the specific files rather then the entire folder. I think it's safer that way. Prior to the latest beta release I didn't find it necessary to exclude any files. Hopefully they will get this resolved.

Posted (edited)

Hello,

 

I have two questions regarding folder exclusions that I really have not been able to find a definitive answer for:

  1. I am almost certain of the following so I am only asking for verification. If I enter the following as an exclusion: C:\Program Files\Malwarebytes\Anti-Malware\*.* - then only the files in that folder will be excluded from scanning, not any of the sub-folders.
  2. This is the one that I am not sure about and need to know if it works or not. If I enter the following as an exclusion: C:\Program Files\Malwarebytes\Anti-Malware\* - does this exclude the folder and all of the sub-folders within from scanning?

Any definitive answers concerning these two issues would be greatly appreciated.

Thanks in advance for your help...

 

In regards to the AV scanner and the HIPS pertaining to file exclusions, the "*" symbol means all files within this folder and any subordinate folders. 

 

Below is info from Eset ver. 10 Help in regards to the above. Note that I have used "*.*" in HIPS rules. However, the HIPS presently interprets it as the same as "*" i.e. all files within this folder and any subordinate folders :

 

ThreatSense AV Scanner

 

You can use wildcards to cover a group of files. A question mark (?) represents a single variable character whereas an asterisk (*) represents a variable string of zero or more characters.

 

Examples

 

•If you wish to exclude all files in a folder, type the path to the folder and use the mask “*.*”.

•To exclude an entire drive including all files and subfolders, use the mask "D:\*".

•If you want to exclude doc files only, use the mask “*.doc“.

•If the name of an executable file has a certain number of characters (and characters vary) and you only know the first one for sure (say “D”), use the following format: “D????.exe”. Question marks replace the missing (unknown) characters.

 

HIPS

 

You can use wildcards with certain restrictions when entering a target. Instead of a particular key the * (asterisk) symbol can be used in registry paths. For example HKEY_USERS\*\software can mean HKEY_USER\.default\software but not HKEY_USERS\S-1-2-21-2928335913-73762274-491795397-7895\.default\software. HKEY_LOCAL_MACHINE\system\ControlSet* is not a valid registry key path. A registry key path containing \* defines "this path, or any path on any level after that symbol". This is the only way of using wildcards for file targets. First, the specific part of a path will be evaluated, then the path following the wildcard symbol (*).

Edited by itman
  • ESET Insiders
Posted

Hello SCR and itman,
 
Thank you both for your replies.

I excluded the specific files rather then the entire folder. I think it's safer that way. Prior to the latest beta release I didn't find it necessary to exclude any files. Hopefully they will get this resolved.

I usually do not exclude anything either but I have been experimenting thus these questions came to mind. I have been alpha and beta testing the new Malwarebytes 3.0 and there have been some performance issues. In my experience, Malwarebytes and ESET have never worked well together performance wise on my machine. In testing, I wanted to exclude both programs entirely from each other to theoretically eliminate performance issues between the two to a minimum and possibly better evaluate Malwarebytes 3.0 on its own performance level. I do not know yet if I will keep Malwarebytes 3.0 in real-time or only use it as a second opinion scanner yet as it all depends on its final performance when it goes stable and how it will coexist with ESET. ESET is the one security software that is always present on my machine and anything else that I may add cannot interfere with ESET or affect my machines performance adversely.

In regards to the AV scanner and the HIPS pertaining to file exclusions, the "*" symbol means all files within this folder and any subordinate folders. 
 
Below is info from Eset ver. 10 Help in regards to the above. Note that I have used "*.*" in HIPS rules. However, the HIPS presently interprets it as the same as "*" i.e. all files within this folder and any subordinate folders :
 
Examples
 
•If you wish to exclude all files in a folder, type the path to the folder and use the mask “*.*”.
•To exclude an entire drive including all files and subfolders, use the mask "D:\*".
•If you want to exclude doc files only, use the mask “*.doc“.
•If the name of an executable file has a certain number of characters (and characters vary) and you only know the first one for sure (say “D”), use the following format: “D????.exe”. Question marks replace the missing (unknown) characters.

I did see the information that you mention in the help file but I found it a bit vague. The information is specific as far as excluding all files within a folder and everything on an entire drive, but not specific in the case of excluding everything including all files and all sub-folders within a specific folder. Therefore I make an assumption as in my original post as follows based on the help file information:

  • If I enter the following as an exclusion: C:\Program Files\Malwarebytes\Anti-Malware\*.* - then only the files in that folder will be excluded from scanning, not any of the sub-folders.
  • If I enter the following as an exclusion: C:\Program Files\Malwarebytes\Anti-Malware\* - this excludes the folder and all of the sub-folders within from scanning.

I am just looking for a quick and easy method to exclude everything from a particular program (in this example it is Malwarebytes) for testing as I evaluate performance. The least number of exclusions that I have make, the better, as it is a lot quicker to just exclude one folder than several or many. Malwarebytes has quite a few folders/sub-folders/files and just using one exclusion rule would be so much easier.

 

I do think that I have already learnt at least one new thing. I always knew that you could use these types of wildcards to exclude file and folders in the anti-virus scanner, but it seems that you can use the same wildcards for the HIPS module also. I assume that you can use the wildcards with both the source and target within the HIPS rules.

 

Thank you both for your feedback so far and any additional feedback from anyone will also be greatly appreciated...

  • Most Valued Members
Posted

 

Thank you both for your replies.

SCR, on 27 Nov 2016 - 09:47 AM, said:snapback.png

I excluded the specific files rather then the entire folder. I think it's safer that way. Prior to the latest beta release I didn't find it necessary to exclude any files. Hopefully they will get this resolved.

I usually do not exclude anything either but I have been experimenting thus these questions came to mind. I have been alpha and beta testing the new Malwarebytes 3.0 and there have been some performance issues. In my experience, Malwarebytes and ESET have never worked well together performance wise on my machine. In testing, I wanted to exclude both programs entirely from each other to theoretically eliminate performance issues between the two to a minimum and possibly better evaluate Malwarebytes 3.0 on its own performance level. I do not know yet if I will keep Malwarebytes 3.0 in real-time or only use it as a second opinion scanner yet as it all depends on its final performance when it goes stable and how it will coexist with ESET. ESET is the one security software that is always present on my machine and anything else that I may add cannot interfere with ESET or affect my machines performance adversely.

I have never found the need to exclude any files from Eset. I did so in this instance just to see if there was a marked improvement in the latest beta 2 release. The mutual exclusion didn't improve the RAM and CPU resource use.

 

If it's necessary to use exclusions in Eset for Malwarebytes I will not be installing v3x. I rolled back to v2.2 until a better release is available.

 

I'm really not to sure where Malwarebytes is headed since moving away from their best v1.75.

 

  • ESET Insiders
Posted

Hello SCR,

 

I have never had the need to exclude files or folders in ESET either. I had been using HitmanPro.Alert but decided to beta test the Malwarebytes 3.0 since I have three lifetime licenses. As far as the exclusions that I have made for Malwarebytes in my testing, I have not noticed any performance improvements either (RAM, CPU, speed, or otherwise). It is just with my testing that I had the questions about exclusions for folders and sub-folders, so I decided to ask for for my own learning and knowledge of ESET products.

  • Most Valued Members
Posted

I appreciate your question, itman's reply and your follow up discussion. Both you and I learned something new.  That's always a good thing.

Posted (edited)

I do think that I have already learnt at least one new thing. I always knew that you could use these types of wildcards to exclude file and folders in the anti-virus scanner, but it seems that you can use the same wildcards for the HIPS module also. I assume that you can use the wildcards with both the source and target within the HIPS rules.

 

As far as the HIPS goes, the only wildcard symbol official supported by Eset at the present time is "*". It also is only allowed at the end of the path name e.g. C:\Windows\Temp\*. It means "this folder's files and all subordinate folders and files."

 

I and others have been bugging Eset for some time to modify the HIPS for allow the same wildcards and use thereof that all allowed for the AV scanner.

Edited by itman
  • ESET Insiders
Posted

Hello SCR and itman,

 

Thanks for both of your replies.

I appreciate your question, itman's reply and your follow up discussion. Both you and I learned something new.  That's always a good thing.

Thanks for your feedback and I agree with you, learning something new is always a good thing.

 

I do think that I have already learnt at least one new thing. I always knew that you could use these types of wildcards to exclude file and folders in the anti-virus scanner, but it seems that you can use the same wildcards for the HIPS module also. I assume that you can use the wildcards with both the source and target within the HIPS rules.

 

As far as the HIPS goes, the only wildcard symbol official supported by Eset at the present time is "*". It also is only allowed at the end of the path name e.g. C:\Windows\Temp\*. It means "this folder's files and all subordinate folders and files."

 

I and others have been bugging Eset for some time to modify the HIPS for allow the same wildcards and use thereof that all allowed for the AV scanner.

 

I agree totally with you, if for no other reason than consistency. Whatever wildcards are allowed, they should be the same for all of the ESET modules. Having different sets of wildcards just complicates things and adds to confusion. Keep it simple as I always say, same list of wildcards should be available in all the ESET modules.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...