karsayor 8 Posted December 17, 2019 Share Posted December 17, 2019 (edited) Hello I'm getting more and more confused with multiples exclusions possibilities. I do understand the change with the split between Performance & Detection exclusions. What I'm not getting is : What's the difference between a Performance exclusion on a whole folder that contains an application, a Performance exclusion for the same application and a Process exclusion for the same application ? For example about Citrix ESET says here that we must exclude C:\Program Files\Citrix\ , but Citrix KB here says that we must exclude process like for example %ProgramFiles%\Citrix\User Profile Manager\UserProfileManager.exe Is excluding C:\Program Files\Citrix\ the same as excluding C:\Program Files\Citrix\* ? According to documentation, we are supposed to use C:\Program Files\Citrix\* to exclude this folder and all subfolders and files What's the difference between a Performance exclusion on a file extension like *.doc and adding .doc to File extensions excluded from scanning What's the difference between File extensions excluded from scanning on the Malware scans / THREATSENSE PARAMETERS tab and the File extensions excluded from scanning on the Real-time file system protection / THREATSENSE PARAMETERS From what I understand, only Detection exclusions have been moved to the new Exclusions feature of Management console, correct ? I think there is work to do to consolidate all these and simplify everything, it's really confusing at the moment and even more since the splitting that have been made on Management console 7.1 Honestly, I do not think that changes that have been made are an improvement at all, or they are released while not completely finished and documented. Thanks for your help guys Edited December 17, 2019 by karsayor Link to comment Share on other sites More sharing options...
Administrators Marcos 4,931 Posted December 17, 2019 Administrators Share Posted December 17, 2019 32 minutes ago, karsayor said: What's the difference between a Performance exclusion on a whole folder that contains an application, a Performance exclusion for the same application and a Process exclusion for the same application ? For example about Citrix ESET says here that we must exclude C:\Program Files\Citrix\ , but Citrix KB here says that we must exclude process like for example %ProgramFiles%\Citrix\User Profile Manager\UserProfileManager.exe The difference between excluding a whole folder and a particular file is quite clear I would say. While in the former case no file in the folder would be scanned for threats, in the latter case only the excluded file will not be scanned which is safer. Excluding a process means that any file the process touches will not be scanned for threats. However, if there's a threat on a disk and another process would touch it, the threat would be detected. 32 minutes ago, karsayor said: Is excluding C:\Program Files\Citrix\ the same as excluding C:\Program Files\Citrix\* ? According to documentation, we are supposed to use C:\Program Files\Citrix\* to exclude this folder and all subfolders and files A correct way to exclude all files in a folder and its subfolders is by excluding C:\Program Files\Citrix\* which is equal to excluding C:\Program Files\Citrix\*.* Without the wildcard at the end the exclusion would not work since it'd not be clear if you meant to exclude a file or a folder. 32 minutes ago, karsayor said: What's the difference between a Performance exclusion on a file extension like *.doc and adding .doc to File extensions excluded from scanning A performance exclusion with *.doc at the end of the path would exclude *.doc files at the given path. Excluding a file extension from scanning would exclude files with the given extension regardless of the location of the file. 32 minutes ago, karsayor said: What's the difference between File extensions excluded from scanning on the Malware scans / THREATSENSE PARAMETERS tab and the File extensions excluded from scanning on the Real-time file system protection / THREATSENSE PARAMETERS They are separate settings for the on-demand scanner and real-time protection. Both are meant to exclude files with given extensions from scanning by the appropriate scanner. 32 minutes ago, karsayor said: From what I understand, only Detection exclusions have been moved to the new Exclusions feature of Management console, correct ? Detection exclusions were there even before Endpoint / ESMC v7, they were, however, part of the Exclusion list. Recently we've just split it into two settings so that it's clear where one should exclude a file, depending on the purpose (ie. whether due to performance issues or to avoid detection). If you don't want a particular pot. unsafe or unwanted application to be detected, use Detection exclusions with the detection name specified. If you need to exclude a file or a folder to prevent performance issues or clashes with another sw, use Performance exclusions. Link to comment Share on other sites More sharing options...
karsayor 8 Posted December 17, 2019 Author Share Posted December 17, 2019 (edited) Hello Marcos, thanks for your response ! 1 hour ago, Marcos said: The difference between excluding a whole folder and a particular file is quite clear I would say. While in the former case no file in the folder would be scanned for threats, in the latter case only the excluded file will not be scanned which is safer. Excluding a process means that any file the process touches will not be scanned for threats. However, if there's a threat on a disk and another process would touch it, the threat would be detected. I still need clarification. Let's take the scenario according to both links I sent in first post : ESET recommends excluding C:\Program Files\Citrix\ (add a * at the end, as we both agree) Citrix recommends excluding process C:\Citrix\User Profile Manager\UserProfileManager.exe from scanner So if I understand correctly, ESET recommends that the content of the folder C:\Program Files\Citrix\* shall not be scanned, but Citrix recommends that everythingtouched by process C:\Citrix\User Profile Manager\UserProfileManager.exe shall not be scanned and therefore it's not the same at all. If I should follow Citrix recommendation, I should add C:\Citrix\User Profile Manager\UserProfileManager.exe to Process exclusion is that right ? If so, I think it might be worth updating ESET's article about this. 1 hour ago, Marcos said: A performance exclusion with *.doc at the end of the path would exclude *.doc files at the given path. Excluding a file extension from scanning would exclude files with the given extension regardless of the location of the file. Ok, so adding *.doc without path to performance exclusion doesn't do anything ? Thanks for your help, it already clarifies a lot for me. Edited December 17, 2019 by karsayor Link to comment Share on other sites More sharing options...
Administrators Marcos 4,931 Posted December 17, 2019 Administrators Share Posted December 17, 2019 3 hours ago, karsayor said: So if I understand correctly, ESET recommends that the content of the folder C:\Program Files\Citrix\* shall not be scanned, but Citrix recommends that everything touched by process C:\Citrix\User Profile Manager\UserProfileManager.exe shall not be scanned and therefore it's not the same at all. We do not recommend using exclusions at all. However, if a vendor of a particular software recommends so, we provide options to do so. It appears that according to Citrix the process C:\Citrix\User Profile Manager\UserProfileManager.exe should be excluded, ie. added to the Process exclusion list. 3 hours ago, karsayor said: Ok, so adding *.doc without path to performance exclusion doesn't do anything ? That's correct, I've just tested it. Eicar.com was detected in a folder when *.com was added in the performance exclusion list. Link to comment Share on other sites More sharing options...
karsayor 8 Posted December 17, 2019 Author Share Posted December 17, 2019 (edited) 15 hours ago, Marcos said: We do not recommend using exclusions at all. This article clearly states the opposite, even if recommended by Citrix and not by ESET, it's added to the article so it might be worth changing because it's misleading. I will add the correct exe to Process exclusion and remove the C:\Program Files\Citrix\* from files and folders exclusions. Another question about this article by the way, it says we should disable these options, but I'm also very concerned about security when disabling these. What are your thoughts about it ? Edited December 18, 2019 by karsayor Link to comment Share on other sites More sharing options...
Recommended Posts