How to exclude mapped drives from real-time file execution/opening?

[zhekdia 3]

Good evening,

How do you perform a real-time exclusion on a mapped drive location from scanning such as "Z:\test\text.txt"? This works for computer scans and file creation but not for execution or opening. You can easily replicate this on your own network.

1. Create a text file on a mapped drive that contains the Eicar string from hxxp://www.eicar.org/download/eicar.com.txt.
2. In Endpoint product enter exclusion for mapped drive under "Exclusions by Path" e.g "Z:\*.*"
3. Open text file containing Eicar string
4. ESET quarantines, ignoring the exclusion.

Please clarify why this behaviour occurs. This can cause problem with user opening data files etc. It is worth noting this behaviour is not exhibited on local drives or when using UNC path exclusion.

It is worth noting that no server protection was enabled in this test, and both "*" and "*.*" were used, and the mapped letter is correct.

 

Admin can not always rely on UNC path.

 

Warm regards.

Edited February 7, 2014 by zhekdia

[Arakasi 549]

This is a shot in the dark, and if my memory serves me correct; if excluding network shares, you must exclude it using a string of path introducing the hostname of the network share.

 

So in this case, UNC is a must, if you cant rely on UNC, get the IP and make sure its static. If its not and cannot be static, then make sure your dns server whether it be windows or a router is working properly to resolve hostname.

 

"\\network-PC\shared folder\folder1\*.*"

Or

to be more efficient, include the entire path of the directory being shared

"\\network-PC\c$\Users\Documents\shared folder\"

 

Or by IP

"\\192.168.1.30\shared folder\"

 

If i am wrong, i will stand corrected, however allow me to search for documentation. Can be tried in the meantime.

Edited February 8, 2014 by Arakasi

[Arakasi 549]

Did not find any KB's on this.

Maybe ESET can introduce a KB on this or at the very least, add it to the normal excluding knowledge base articles.

[Arakasi 549]

Hello,

 

Just arrived at work, and tested your theory and mine, and it is absolutely as i stated.

I could not open the test file, but after adding the hostname and folder with *.*, it allowed me to execute the file.

It may or may not have something to do with drive letters never being static except for C: or windows directory.

A compensation in-case a user or admin inadvertently changed the network map letter and forgot about security exclusions. I imagine the exclusion would still be working properly

[Marcos 5,070]

Exclusions work by kernel paths, maybe the mapped drive Z: translates to different kernel paths over time.