Jump to content
ChristianK

ESMC: Global process exclusion w/ placeholders

Recommended Posts

Hi there,

I try my best to exclude a specific process on all my windows-clients from the realtime scanner, but I can't find a way to do so since the web-UI refuses to let my use placeholders for system vars like %LOCALAPPDATA%.

That way it renders this global setting useless for me since the path resides in "c:\<USERNAME>\AppData\Local\..." and the "<USERNAME>" part is different on each machine.

If there is a way to add a specific file/process using system variables, please give me a hint how to do so.

If not, it would be great if you (the supportes/devs) would consider to put this on the feature-request list as I'm sure that this is an issue for many enterprise customers.

Thanks in advance!

 

 

Share this post


Link to post
Share on other sites

Since ekrn runs in the local system account, user variables cannot be resolved. Only system variables should work but not for process exclusions; at least it seems that variables are not accepted at all.

Share this post


Link to post
Share on other sites

Hi Marcos,

thanks for your explanation. This makes sense.

But what about wildcards? Something like "c:\Users\*\AppData\Local" would work theoretically. Why is that also not usable in that context?

Share this post


Link to post
Share on other sites

Wildcards are supported in performance and detection exclusions and only at the end of the path.

What is the actual issue that occurs if you don't create process exclusions?

Share this post


Link to post
Share on other sites
Posted (edited)

We have performance issues with Microsoft Teams and the Endpoint Antivirus since the last update of the Teams client. The realtime-scanner seems to permanently scan the vairous "Teams.exe" processes which leads to extreme CPU load and loss of connection in Teams on some clients.

Since most employees here are still in home-office, we need Teams to run stable for our communications. The only way to solve this issue for the moment is to exclude the "Teams.exe" processes from the scanner engine.

"Teams.exe" resides in "C:\Users\<USERNAME>\AppData\Local\Microsoft\Teams\current", that's why I asked for a possibility to use placeholders.

Edited by ChristianK

Share this post


Link to post
Share on other sites

Strange, we've used Teams without any exclusions and issues.

Does temporarily pausing real-time protection actually make a difference? Do you have the latest Endpoint 7.3.2039 installed?

 

Share this post


Link to post
Share on other sites

Actually, it does make a difference. When I disable realtime-protection the CPU-impact vanishes, too. Yes, there is v7.3.2039.0 on all clients.

Share this post


Link to post
Share on other sites

Please carry on as follows:
- Temporarily disable protected service in the HIPS setup and reboot the machine
- Start logging with Procmon
- Reproduce the issue
- After a while, stop logging.
- Enable advanced operating system logging in the adv.setup -> tools -> diagnostics
- Reproduce the issue
- After a while, disable logging
- Re-enable protected service and reboot the machine.

When done, collect logs with ESET Log Collector and add the Procmon log to the generated archive. Upload the archive to a safe location and drop me a personal message with a download link.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...