Exclude file type from all scanning

[jdashn 12]

It appears (and i could be wrong) that the only way i can exclude a file type ( .vhd for example) would be to enter that in under the Threatsense Parameters for Each scan type? Is there a way i can enter the file type under path like *.vhd or something? Does the setting for real-time protection also count for malware scans and the others?

Is there a list of all the places i've got to add these extensions to be sure they're not scanned?

 

it seems kind of goofy to have the file type exclusions in a different spot, and to have to enter it in multiple places when there is a single spot to exclude files, hashes, and threats. Is this really the only way?  Out of curiosity, is there a reason i'm not seeing for this to be this way?

 

Thanks,

 

Jdashn

Edited February 1, 2019 by jdashn
add additional question

[jdashn 12]

Instead of editing a 3rd time with another question to add, i'll just add another question here:

 

When excluding a file where one of the folders is unknown:

C:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Citrix\SubscriptionsStore\*\PersistentDictionary.edb

This seems to be not possible with eset at all? Is there another notation i should be trying? I've seen some suggestion that \\ would work but would like to KNOW for sure before telling others this is in place and 'working'.

 

Thanks as always!!

 

Jdashn

[itman 1,659]

To excluded a file from Realtime scanning, you enter the item in the  "Exclusions" section in Eset GUI Real-time file system protection section. Click on the gear symbol and select  "Edit exclusions." As far as selection criteria goes: 

Quote

Examples

•If you wish to exclude all files in a folder, type the path to the folder and use the mask “*.*”.

•To exclude an entire drive including all files and subfolders, use the mask "D:\*".

•If you want to exclude doc files only, use the mask “*.doc“.

•If the name of an executable file has a certain number of characters (and characters vary) and you only know the first one for sure (say “D”), use the following format: “D????.exe”. Question marks replace the missing (unknown) characters.

https://help.eset.com/eis/12/en-US/idh_config_exclude.html

Edited February 1, 2019 by itman

[novice 20]

2 hours ago, jdashn said:

It appears (and i could be wrong) that the only way i can exclude a file type ( .vhd for example) would be to enter that in under the Threatsense Parameters for Each scan type?

No, you are not wrong!

I complained many time before about the need to fill the Threatsense parameters in a hundred places even though is very unlikely an user will choose different settings .

But it falls in deaf years!

[Marcos 5,074]

Vhd files are containers, ie. real-time protection doesn't scan them all. What issues do you have with vhd files if they are not excluded from scanning by real-time protection?

Re. individual ThreatSense setttings for modules, settings like file exclusions and PUA/PUsA detection, they can be globally set at one place. It makes sense to have individual settings per each protection module and on-demand scanner profile. Without that, it wouldn't make sense to have various on-demand scan profiles if only targets could be defined in scan profiles. Ie. users would be forced to use smart scan without scanning archives or an in-depth scan that would scan everything but would take long.

Users generally love the granularity of settings and the possibility to tailor them to their needs or liking. I for one can't think of a scenario when a user would need to change a particular setting in all modules and on-demand scanner profiles at once. If there is a real use for some settings to become global, we'd like to hear more about such use.

[novice 20]

1 hour ago, Marcos said:

If there is a real use for some settings to become global, we'd like to hear more about such use.

Well, see here:

 

"Just an example about the "Threatsense parameters" : No cleaning/Normal cleaning/Strictly cleaning .An user has to set up this in at least 8 places ; it is very unlikely that somebody will want "no cleaning" in certain situation and "strictly cleaning" in another situation. To be honest, every time I set-up ESET I was in doubt that I did it right or I missed something somewhere...."

Aryeh Goretsky seems to agree with my statement:

"The feedback about having to configure cleaning in multiple places through the UI is noted." 

[Marcos 5,074]

The cleaning functionality is subject to overhaul.

I'm trying to understand the use case. 1, Do you set cleaning mode to No cleaning or Strict cleaning in all modules? , 2. Do you uninstall and reinstall ESET so frequently that setting the cleaning mode at very few places in the configuration is a problem? Even if you export and import settings when reinstalling ESET?

You have posted in the Remote administrator forum. If you use ESET Security Management Console, what problem is there when setting a non-default cleaning mode via a policy?

[jdashn 12]

Sorry i've been away from this thread!

On 2/1/2019 at 4:09 PM, itman said:

To excluded a file from Realtime scanning, you enter the item in the  "Exclusions" section in Eset GUI Real-time file system protection section. Click on the gear symbol and select  "Edit exclusions." As far as selection criteria goes: 

Thanks for this, but when you actually try to enter in a file type *.doc for example, in ESMC under File Exclusions you get an error. To exclude a file type it seems you need to go to the threatsense area for each scan type  (Realtime, Malware, ( and each cleaning mode too?)) to exclude them in an ESMC policy. Infact i believe in v6 Console you could specify *.doc in the File/folder area, though i'm unsure now if it was working, or if there was just no error thrown to prevent me.

 

On 2/2/2019 at 8:44 AM, Marcos said:

The cleaning functionality is subject to overhaul.

I'm trying to understand the use case. 1, Do you set cleaning mode to No cleaning or Strict cleaning in all modules? , 2. Do you uninstall and reinstall ESET so frequently that setting the cleaning mode at very few places in the configuration is a problem? Even if you export and import settings when reinstalling ESET?

You have posted in the Remote administrator forum. If you use ESET Security Management Console, what problem is there when setting a non-default cleaning mode via a policy?

1 this is not for cleaning mode. This is asking why i've got to setup the file type exclusions separately from file exclusions and why i can't use a * in the middle of a path. It appears that for a citrix environment (in this one example, we have a few other Pieces Of Software that require some sort of file type exclusion) a provisioning server needs the following file types to be not scanned at all:

• *.vhd
• *.avhd
• *.vhdx
• *.avhdx
• *.pvp
• *.lok

In order to achieve that it seems I would have to exclude them from realtime scanning, and specific scans like malware scans and what not (instead of the 1 spot i can exclude a Spesific file/folder hash or threat). I'm wondering if there is a single spot to enter so i don't have to enter it in multiple places. Generally we only use Strict cleaning.

2 I'm not sure this matters (as i use ESMC to manage these servers) but these particular machines aren't rebuilt daily, but some others with file type exclusions are.

 

Realistically i'm just looking to see if there would be an easier way to setup an exclusion based on file type, instead of having to remember each spot that has a filetype exclusion parameter when we get a new piece of software or a software requirements are changed. This would reduce the possibility of human error, missing an exclusion, or forgetting to remove them in a spot when changes to these policies (or their initial creation) need to happen.

As i said, maybe there is something i'm missing, or i'm not explaining this properly?

 

Thanks a ton as always !!!

 

Jdashn

Edited February 6, 2019 by jdashn

[Marcos 5,074]

1, I assume you meant *.doc just as an example since document files often contain malicious macros nowadays and thus they should never be excluded from scanning.
2, As for the cleaning mode, I was not referring to your post but to the other complaint from another user.
3, As I wrote, neither vhd files nor the other formats you mentioned are scanned by real-time protection so basically you shouldn't need to exclude them. If there's a really good reason for excluding them, we would like to hear more details about the issues that occur when those files are not excluded.
 

[jdashn 12]

19 hours ago, Marcos said:

1, I assume you meant *.doc just as an example since document files often contain malicious macros nowadays and thus they should never be excluded from scanning.
2, As for the cleaning mode, I was not referring to your post but to the other complaint from another user.
3, As I wrote, neither vhd files nor the other formats you mentioned are scanned by real-time protection so basically you shouldn't need to exclude them. If there's a really good reason for excluding them, we would like to hear more details about the issues that occur when those files are not excluded.
 

1. Without a doubt! It would quite a bad job move to exclude *.doc files from scanning, typically i'd like to have zero exclusions, but some business critical software that we use does require exclusions, Citrix for instance has what i listed above just for one server type in their ecosystem. Several of our other products require various other db files or file types to be excluded from scanning on their servers, or even on the desktops.

2. Awesome, i was a little confused and was worried i was missing something, thanks for clarifying!

3. The files listed are put forth as files that cannot be scanned during the provisioning process in a citrix environment per Citrix. Additionally we do have several other pieces of software that also recommend that certain file types are excluded from scanning odd db files and other file types used by EHRs or Claims management software or HR systems. I'm not really going to be able to override the documentation they've provided - but i can say we did experience widespread oddities only in our production environment before these were in place, that we do not experience after (This though was only for our prod environment, under load - we were unable to replicate in test environments with few users, i can't replicate so i can't say it was eset for sure or not).

 

So my concern is not if i should enter the exclusions as required by vendors, but how is the best way to ensure that files i'm directed to not allow scanning on, dont get scanned. I enter once for realtime, then once for on-demand scan, then for idle-state scan, then for startup scan (to be a bit more exact in what i'm talking about, when i say multiple places ). So that means that someone has to remember to hit all 4 of those spots, to enter the same information.

i'm not trying to say ESET is bad or anything, i'm just trying to figure out if i'm seeing this wrong or if there is something i'm missing here? Or if there might be a way to keep from duplicating work?

 

Thanks a ton for looking at this!

Jason