Jump to content

How to exclude mapped drives from real-time file execution/opening?


Recommended Posts

Posted (edited)

Good evening,

How do you perform a real-time exclusion on a mapped drive location from scanning such as "Z:\test\text.txt"? This works for computer scans and file creation but not for execution or opening. You can easily replicate this on your own network.

  1. Create a text file on a mapped drive that contains the Eicar string from hxxp://www.eicar.org/download/eicar.com.txt.
  2. In Endpoint product enter exclusion for mapped drive under "Exclusions by Path" e.g "Z:\*.*"
  3. Open text file containing Eicar string
  4. ESET quarantines, ignoring the exclusion.

Please clarify why this behaviour occurs. This can cause problem with user opening data files etc. It is worth noting this behaviour is not exhibited on local drives or when using UNC path exclusion.

It is worth noting that no server protection was enabled in this test, and both "*" and "*.*" were used, and the mapped letter is correct.

 

Admin can not always rely on UNC path.

 

Warm regards.

Edited by zhekdia
Posted (edited)

This is a shot in the dark, and if my memory serves me correct; if excluding network shares, you must exclude it using a string of path introducing the hostname of the network share.

 

So in this case, UNC is a must, if you cant rely on UNC, get the IP and make sure its static. If its not and cannot be static, then make sure your dns server whether it be windows or a router is working properly to resolve hostname.

 

"\\network-PC\shared folder\folder1\*.*"

Or

to be more efficient, include the entire path of the directory being shared

"\\network-PC\c$\Users\Documents\shared folder\"

 

Or by IP

"\\192.168.1.30\shared folder\"

 

If i am wrong, i will stand corrected, however allow me to search for documentation. Can be tried in the meantime. ;)

Edited by Arakasi
Posted

Did not find any KB's on this.

Maybe ESET can introduce a KB on this or at the very least, add it to the normal excluding knowledge base articles.

Posted

Hello,

 

Just arrived at work, and tested your theory and mine, and it is absolutely as i stated.

I could not open the test file, but after adding the hostname and folder with *.*, it allowed me to execute the file. :)

It may or may not have something to do with drive letters never being static except for C: or windows directory. :)

A compensation in-case a user or admin inadvertently changed the network map letter and forgot about security exclusions. I imagine the exclusion would still be working properly :):wub:

  • Administrators
Posted

Exclusions work by kernel paths, maybe the mapped drive Z: translates to different kernel paths over time.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...