ChristianK 1 Posted August 5, 2020 Posted August 5, 2020 Hi there, I try my best to exclude a specific process on all my windows-clients from the realtime scanner, but I can't find a way to do so since the web-UI refuses to let my use placeholders for system vars like %LOCALAPPDATA%. That way it renders this global setting useless for me since the path resides in "c:\<USERNAME>\AppData\Local\..." and the "<USERNAME>" part is different on each machine. If there is a way to add a specific file/process using system variables, please give me a hint how to do so. If not, it would be great if you (the supportes/devs) would consider to put this on the feature-request list as I'm sure that this is an issue for many enterprise customers. Thanks in advance!
Administrators Marcos 5,450 Posted August 5, 2020 Administrators Posted August 5, 2020 Since ekrn runs in the local system account, user variables cannot be resolved. Only system variables should work but not for process exclusions; at least it seems that variables are not accepted at all.
ChristianK 1 Posted August 5, 2020 Author Posted August 5, 2020 Hi Marcos, thanks for your explanation. This makes sense. But what about wildcards? Something like "c:\Users\*\AppData\Local" would work theoretically. Why is that also not usable in that context?
Administrators Marcos 5,450 Posted August 5, 2020 Administrators Posted August 5, 2020 Wildcards are supported in performance and detection exclusions and only at the end of the path. What is the actual issue that occurs if you don't create process exclusions?
ChristianK 1 Posted August 5, 2020 Author Posted August 5, 2020 (edited) We have performance issues with Microsoft Teams and the Endpoint Antivirus since the last update of the Teams client. The realtime-scanner seems to permanently scan the vairous "Teams.exe" processes which leads to extreme CPU load and loss of connection in Teams on some clients. Since most employees here are still in home-office, we need Teams to run stable for our communications. The only way to solve this issue for the moment is to exclude the "Teams.exe" processes from the scanner engine. "Teams.exe" resides in "C:\Users\<USERNAME>\AppData\Local\Microsoft\Teams\current", that's why I asked for a possibility to use placeholders. Edited August 5, 2020 by ChristianK
Administrators Marcos 5,450 Posted August 5, 2020 Administrators Posted August 5, 2020 Strange, we've used Teams without any exclusions and issues. Does temporarily pausing real-time protection actually make a difference? Do you have the latest Endpoint 7.3.2039 installed?
ChristianK 1 Posted August 5, 2020 Author Posted August 5, 2020 Actually, it does make a difference. When I disable realtime-protection the CPU-impact vanishes, too. Yes, there is v7.3.2039.0 on all clients.
Administrators Marcos 5,450 Posted August 5, 2020 Administrators Posted August 5, 2020 Please carry on as follows: - Temporarily disable protected service in the HIPS setup and reboot the machine - Start logging with Procmon - Reproduce the issue - After a while, stop logging. - Enable advanced operating system logging in the adv.setup -> tools -> diagnostics - Reproduce the issue - After a while, disable logging - Re-enable protected service and reboot the machine. When done, collect logs with ESET Log Collector and add the Procmon log to the generated archive. Upload the archive to a safe location and drop me a personal message with a download link. ChristianK 1
ChristianK 1 Posted August 6, 2020 Author Posted August 6, 2020 Okay, I'll setup a test machine with ESET and Teams only to isolate the problem and run the steps you listed ASAP. Peter Randziak 1
Recommended Posts