Jump to content

Exclusions clarifications needed


karsayor
 Share

Recommended Posts

Hello

I'm getting more and more confused with multiples exclusions possibilities. I do understand the change with the split between Performance & Detection exclusions.

What I'm not getting is :

  • What's the difference between a Performance exclusion on a whole folder that contains an application, a Performance exclusion for the same application and a Process exclusion for the same application ? For example about Citrix ESET says here that we must exclude C:\Program Files\Citrix\ , but Citrix KB here says that we must exclude process like for example %ProgramFiles%\Citrix\User Profile Manager\UserProfileManager.exe
  • Is excluding C:\Program Files\Citrix\ the same as excluding C:\Program Files\Citrix\* ? According to documentation, we are supposed to use C:\Program Files\Citrix\* to exclude this folder and all subfolders and files
  • What's the difference between a Performance exclusion on a file extension like *.doc and adding .doc to File extensions excluded from scanning 
  • What's the difference between File extensions excluded from scanning on the Malware scans / THREATSENSE PARAMETERS tab and the File extensions excluded from scanning on the Real-time file system protection / THREATSENSE PARAMETERS
  • From what I understand, only Detection exclusions have been moved to the new Exclusions feature of Management console, correct ?

I think there is work to do to consolidate all these and simplify everything, it's really confusing at the moment and even more since the splitting that have been made on Management console 7.1

Honestly, I do not think that changes that have been made are an improvement at all, or they are released while not completely finished and documented.

Thanks for your help guys

Edited by karsayor
Link to comment
Share on other sites

  • Administrators
32 minutes ago, karsayor said:
  • What's the difference between a Performance exclusion on a whole folder that contains an application, a Performance exclusion for the same application and a Process exclusion for the same application ? For example about Citrix ESET says here that we must exclude C:\Program Files\Citrix\ , but Citrix KB here says that we must exclude process like for example %ProgramFiles%\Citrix\User Profile Manager\UserProfileManager.exe

The difference between excluding a whole folder and a particular file is quite clear I would say. While in the former case no file in the folder would be scanned for threats, in the latter case only the excluded file will not be scanned which is safer.
Excluding a process means that any file the process touches will not be scanned for threats. However, if there's a threat on a disk and another process would touch it, the threat would be detected.

32 minutes ago, karsayor said:
  • Is excluding C:\Program Files\Citrix\ the same as excluding C:\Program Files\Citrix\* ? According to documentation, we are supposed to use C:\Program Files\Citrix\* to exclude this folder and all subfolders and files

A correct way to exclude all files in a folder and its subfolders is by excluding C:\Program Files\Citrix\* which is equal to excluding C:\Program Files\Citrix\*.* Without the wildcard at the end the exclusion would not work since it'd not be clear if you meant to exclude a file or a folder.

32 minutes ago, karsayor said:
  • What's the difference between a Performance exclusion on a file extension like *.doc and adding .doc to File extensions excluded from scanning 

A performance exclusion with *.doc at the end of the path would exclude *.doc files at the given path. Excluding a file extension from scanning would exclude files with the given extension regardless of the location of the file.

32 minutes ago, karsayor said:
  • What's the difference between File extensions excluded from scanning on the Malware scans / THREATSENSE PARAMETERS tab and the File extensions excluded from scanning on the Real-time file system protection / THREATSENSE PARAMETERS

They are separate settings for the on-demand scanner and real-time protection. Both are meant to exclude files with given extensions from scanning by the appropriate scanner.

32 minutes ago, karsayor said:
  • From what I understand, only Detection exclusions have been moved to the new Exclusions feature of Management console, correct ?

Detection exclusions were there even before Endpoint / ESMC v7, they were, however, part of the Exclusion list. Recently we've just split it into two settings so that it's clear where one should exclude a file, depending on the purpose (ie. whether due to performance issues or to avoid detection). If you don't want a particular pot. unsafe or unwanted application to be detected, use Detection exclusions with the detection name specified. If you need to exclude a file or a folder to prevent performance issues or clashes with another sw, use Performance exclusions.

Link to comment
Share on other sites

Hello Marcos, thanks for your response !

1 hour ago, Marcos said:

The difference between excluding a whole folder and a particular file is quite clear I would say. While in the former case no file in the folder would be scanned for threats, in the latter case only the excluded file will not be scanned which is safer.
Excluding a process means that any file the process touches will not be scanned for threats. However, if there's a threat on a disk and another process would touch it, the threat would be detected.

I still need clarification. Let's take the scenario according to both links I sent in first post :

  • ESET recommends excluding C:\Program Files\Citrix\ (add a * at the end, as we both agree)
  • Citrix recommends excluding process C:\Citrix\User Profile Manager\UserProfileManager.exe from scanner

So if I understand correctly, ESET recommends that the content of the folder C:\Program Files\Citrix\* shall not be scanned, but Citrix recommends that everythingtouched by process C:\Citrix\User Profile Manager\UserProfileManager.exe shall not be scanned and therefore it's not the same at all.

If I should follow Citrix recommendation, I should add C:\Citrix\User Profile Manager\UserProfileManager.exe to Process exclusion is that right ? If so, I think it might be worth updating ESET's article about this.

1 hour ago, Marcos said:

A performance exclusion with *.doc at the end of the path would exclude *.doc files at the given path. Excluding a file extension from scanning would exclude files with the given extension regardless of the location of the file.

Ok, so adding *.doc without path to performance exclusion doesn't do anything ?

Thanks for your help, it already clarifies a lot for me.

Edited by karsayor
Link to comment
Share on other sites

  • Administrators
3 hours ago, karsayor said:

So if I understand correctly, ESET recommends that the content of the folder C:\Program Files\Citrix\* shall not be scanned, but Citrix recommends that everything touched by process C:\Citrix\User Profile Manager\UserProfileManager.exe shall not be scanned and therefore it's not the same at all.

We do not recommend using exclusions at all. However, if a vendor of a particular software recommends so, we provide options to do so. It appears that according to Citrix the process C:\Citrix\User Profile Manager\UserProfileManager.exe should be excluded, ie. added to the Process exclusion list.

 

3 hours ago, karsayor said:

Ok, so adding *.doc without path to performance exclusion doesn't do anything ?

That's correct, I've just tested it. Eicar.com was detected in a folder when *.com was added in the performance exclusion list.

Link to comment
Share on other sites

15 hours ago, Marcos said:

We do not recommend using exclusions at all.

This article clearly states the opposite, even if recommended by Citrix and not by ESET, it's added to the article so it might be worth changing because it's misleading.

I will add the correct exe to Process exclusion and remove the C:\Program Files\Citrix\* from files and folders exclusions.

Another question about this article by the way, it says we should disable these options, but I'm also very concerned about security when disabling these. What are your thoughts about it ?

KB7321Fig3-1.png

 

 

Edited by karsayor
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...