Jump to content

Exclusions of specific folders scan


Panagiotis Goudas
Go to solution Solved by Marcos,

Recommended Posts

Hello.

We have set a weekly In-depth scan for the computers of our organisation.
However we want to exclude our shared folders from scanning since they are already scanned in the file server.

Any idea how to automate this procedure through policy?

Thanks in advance.

Link to comment
Share on other sites

Hello,

I  think shared folders are not directly scanned in the endpoint, but the moderators can confirm better. 

Per my info there is no specific option within a policy to exclude shared folders, or in a task you trigger.

Link to comment
Share on other sites

  • Administrators

Scheduled scans don't scan files in remote shares since ekrn.exe runs in the local system account and therefore does not have sufficient permissions.

Link to comment
Share on other sites

What if the user account we are connected to, has permissions to access these shared folders? Will it be the same situation or it will scan them?

And finally. If I want to exclude specific folders from the file system, could I do it like the screenshot?

Thanks.

Screenshot 2024-09-27 082504.png

Edited by Panagiotis Goudas
Link to comment
Share on other sites

  • Administrators

If you run an on-demand scan manually under a specific user who has access to the remote share, ESET will scan the files. However, if you schedule a scan via Scheduler, the scan will be run in the local system account and would not be able to access the share unless you share it for the specific AD computer instead of an AD user. Anyways, when scheduling a scan task you select the targets so the solution would be not to select the disk or folders you don't want to scan.

Link to comment
Share on other sites

When you say "scheduling a task", do you mean setting the "Scheduler" via a policy?
Because that's what I have done and it didn't ask me to select disk or folders. 
Moreover the task type is "On-demand computer scan" so maybe it falls to the first thing you said. That ESET will scan the files since the user has access to them.

I'm a bit confused about this issue.

Screenshot 2024-09-27 102651.png

Link to comment
Share on other sites

  • Administrators
  • Solution

When scheduling a scan via ESET PROTECT, you can choose to scan all targets defined in the selected on-demand scan profile or specify the targets in the tasks. I assume the custom targets also support strings listed at https://help.eset.com/protect_cloud/en-US/client_tasks_on_demand_scan.html so you could use something like this to scan only local disks:

image.png

Link to comment
Share on other sites

Thanks a lot for your answer, it helped me a lot!

I have a couple of more questions.

1. I have set the weekly scan every Thursday for the PCs of my organisation. The log files configuration is set as seen in the screenshot:
- Minimum logging verbosity -> Warnings
- Delete records older than 60 days

However I have the following (screenshot no.2) view of log files in the computers that run this weekly scan.
As you can see, the log files include scans of files that didn't find something suspicious and just report that everything is OK. Since I have set the logging verbosity to "Warnings" is this a normal view?

2. I have attached an image of how the policies are applied at one of the organisation users.|
According to the image (screenshot no.3) which policy is applied first and which is applied last? Does the number next to the policy indicate something about the queue of the policies?

 

Screenshot no.1.png

Screenshot no.2.png

Screenshot no.3.png

Link to comment
Share on other sites

  • Administrators

Policies with higher numbers override those with lower numbers except settings that are enforced by selecting the flash icon next to it. You could provide logs collected with ESET Log Collector if you are unable to determine which of the policies enables the "Log all files" setting.

Link to comment
Share on other sites

The policy which has the highest number is set as I mentioned in my previous post.

- Minimum logging verbosity -> Warnings
- Delete records older than 60 days

The screenshot is from a computer that has all the policies set by the organisation.

However I get the picture I sent you above. Is this normal?

If I need to provide logs, what kind of logs do you want?

Screenshot 2024-10-01 144708.png

Link to comment
Share on other sites

  • Administrators

The setting that enables logging of all scanned files is located in the ThreatSense setup of the on-demand scanner profile used in the scan.

As for the logs, I meant logs collected with ESET Log Collector from the machine.

image.png

Link to comment
Share on other sites

Posted (edited)

So to understand, is this setting in contrary to the setting that sets the minimum logging verbosity to "Warnings"?

What if I disable the setting "Log all objects"?

To conclude, what I want is to log only the important incidents (Warnings, Errors, Critical) and not to fill the disk with all the logs.

Edited by Panagiotis Goudas
Link to comment
Share on other sites

  • Administrators

The setting in your screenshot affects logging to the Event log and some other logs only. Whether all scanned files are logged is determined by the "Scan all objects" setting in a particular on-demand scanner profile setup.

Link to comment
Share on other sites

I'm kind of confused, really.

The same policy that sets minimum logging verbosity to "Warnings" has also the setting "Log all objects". 
This policy schedules a weekly scan through "Scheduler".

What should I do to log only the important events and avoid logging everything in my weekly scan?

Link to comment
Share on other sites

  • Administrators

There are no policies that would run a scheduled on-demand scan. However, your "In-depth scan" on-demand scanner profile has logging of all objects enabled. Please disabled it. Also the In-depth scan profile should have smart optimization disabled too, otherwise it won't run true in-depth scans.

image.png

Link to comment
Share on other sites

 

Good morning Marcos.

But I do have a policy with a Scheduler set to have a Weekly in-depth scan.
The policy is called "Security Product for Windows - Protection - Balanced ( Custom )".

I made the changes you proposed in the "In-depth profile". I'll check about the logs and will let you know.

One more thing I don't understand is about "Enable Smart optimization". 
What does this option stops at in-depth scans?

Thanks again.

Link to comment
Share on other sites

  • Administrators
37 minutes ago, Panagiotis Goudas said:

But I do have a policy with a Scheduler set to have a Weekly in-depth scan.
The policy is called "Security Product for Windows - Protection - Balanced ( Custom )".

I was able to find only these tasks scheduled on the machine from which the logs were collected:

image.png

37 minutes ago, Panagiotis Goudas said:

One more thing I don't understand is about "Enable Smart optimization". 
What does this option stops at in-depth scans?

Enabling it will cause many trusted and whitelisted files to be omitted from the scan, turning an ‘in-depth’ scan into a standard scan.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...