Jump to content

ESMC: Global process exclusion w/ placeholders


Recommended Posts

Hi there,

I try my best to exclude a specific process on all my windows-clients from the realtime scanner, but I can't find a way to do so since the web-UI refuses to let my use placeholders for system vars like %LOCALAPPDATA%.

That way it renders this global setting useless for me since the path resides in "c:\<USERNAME>\AppData\Local\..." and the "<USERNAME>" part is different on each machine.

If there is a way to add a specific file/process using system variables, please give me a hint how to do so.

If not, it would be great if you (the supportes/devs) would consider to put this on the feature-request list as I'm sure that this is an issue for many enterprise customers.

Thanks in advance!

 

 

Link to comment
Share on other sites

  • Administrators

Since ekrn runs in the local system account, user variables cannot be resolved. Only system variables should work but not for process exclusions; at least it seems that variables are not accepted at all.

Link to comment
Share on other sites

Hi Marcos,

thanks for your explanation. This makes sense.

But what about wildcards? Something like "c:\Users\*\AppData\Local" would work theoretically. Why is that also not usable in that context?

Link to comment
Share on other sites

  • Administrators

Wildcards are supported in performance and detection exclusions and only at the end of the path.

What is the actual issue that occurs if you don't create process exclusions?

Link to comment
Share on other sites

We have performance issues with Microsoft Teams and the Endpoint Antivirus since the last update of the Teams client. The realtime-scanner seems to permanently scan the vairous "Teams.exe" processes which leads to extreme CPU load and loss of connection in Teams on some clients.

Since most employees here are still in home-office, we need Teams to run stable for our communications. The only way to solve this issue for the moment is to exclude the "Teams.exe" processes from the scanner engine.

"Teams.exe" resides in "C:\Users\<USERNAME>\AppData\Local\Microsoft\Teams\current", that's why I asked for a possibility to use placeholders.

Edited by ChristianK
Link to comment
Share on other sites

  • Administrators

Strange, we've used Teams without any exclusions and issues.

Does temporarily pausing real-time protection actually make a difference? Do you have the latest Endpoint 7.3.2039 installed?

 

Link to comment
Share on other sites

  • Administrators

Please carry on as follows:
- Temporarily disable protected service in the HIPS setup and reboot the machine
- Start logging with Procmon
- Reproduce the issue
- After a while, stop logging.
- Enable advanced operating system logging in the adv.setup -> tools -> diagnostics
- Reproduce the issue
- After a while, disable logging
- Re-enable protected service and reboot the machine.

When done, collect logs with ESET Log Collector and add the Procmon log to the generated archive. Upload the archive to a safe location and drop me a personal message with a download link.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...