Palps 3 Posted April 28, 2016 Share Posted April 28, 2016 (edited) Hi together, I have currently the issue, that some of my exceptions are not working. ESET is detecting the following false positive: It seems, that BackupExec is running because for every detection I am getting another shadow copy path. file:////Device/HarddiskVolumeShadowCopy11/ProgramData/Druva/inSyncCloud/inSyncServer4/detectav.exe file:////Device/HarddiskVolumeShadowCopy6/ProgramData/Druva/inSyncCloud/inSyncServer4/detectav.exe file:////Device/HarddiskVolumeShadowCopy1/ProgramData/Druva/inSyncCloud/inSyncServer4/detectav.exe Now I tried to adapt our exceptions with the following paths and processes but every morning I am getting the false positive again. Path exclusions: Process exclusions: How is the syntax or which kind of wildcards are working for the exceptions? Would really appreciate your help. Thanks. Edited May 3, 2016 by Palps Link to comment Share on other sites More sharing options...
ESET Staff Gonzalo Alvarez 66 Posted April 28, 2016 ESET Staff Share Posted April 28, 2016 Hi @Palps, Perhaps this can help you... How do I exclude files or folders from Real-time scanning on client workstations using ESET Remote Administrator? (6.x) hxxp://support.eset.com/kb3642/?viewlocale=en_US Link to comment Share on other sites More sharing options...
Palps 3 Posted April 28, 2016 Author Share Posted April 28, 2016 Hi Gonzalo Alvarez, the knowledge base article just shows the same place where it took the screenshot of my exception processes/paths. I configured already the settings which are described in the article but they are not working, but thanks anyway Link to comment Share on other sites More sharing options...
ESET Staff Gonzalo Alvarez 66 Posted April 28, 2016 ESET Staff Share Posted April 28, 2016 Sorry then, is as far I can go.Perhaps one of the moderators can help you. Link to comment Share on other sites More sharing options...
Palps 3 Posted April 28, 2016 Author Share Posted April 28, 2016 No problem, I very appreciate your help Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted April 28, 2016 ESET Staff Share Posted April 28, 2016 (edited) Do you have any set of exclusions created by a different policy lover in the hierarchy?As the exclusions list is considered as a one setting, one list overwrites another one. Also, if you set "force flag" for the master list, this is not appended, not overwritten. What I would suggest, is to try to remove all policy assignments including "any form of exclusions" from the target client, and set the exclusions locally on the affected computer. Please let us know, if this helped. Edited April 28, 2016 by MichalJ Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted April 28, 2016 Administrators Share Posted April 28, 2016 We are not sure if excluding Shadow copy volumes using a wildcard will work. Try excluding "\device\harddiskvolumeshadowcopy*\*.*" or "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy*\*.*" Link to comment Share on other sites More sharing options...
Palps 3 Posted April 29, 2016 Author Share Posted April 29, 2016 Do you have any set of exclusions created by a different policy lover in the hierarchy? As the exclusions list is considered as a one setting, one list overwrites another one. Also, if you set "force flag" for the master list, this is not appended, not overwritten. What I would suggest, is to try to remove all policy assignments including "any form of exclusions" from the target client, and set the exclusions locally on the affected computer. Please let us know, if this helped. Thanks MichalJ for your answer. That's what I also already thought about. But I requested the configuration on the ERA of the affected client and the configuration is showing the exceptions. I also checked the configuration directly on the client and also there I could see the configured exceptions, so they are not overwritten by a lower policy. I will try the solution posted by Marcos before I configure the exceptions locally because we have many servers and I don't want to do all the configuration manually. This should work by policy. We are not sure if excluding Shadow copy volumes using a wildcard will work. Try excluding "\device\harddiskvolumeshadowcopy*\*.*" or \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy*\*.* I will try to add the paths like you explained. Have to check tomorrow morning again if the threat occurred again. Thank you both for you fast support, appreciate it. Link to comment Share on other sites More sharing options...
Palps 3 Posted May 3, 2016 Author Share Posted May 3, 2016 Hi again, unfortunately the Eicar test file is still reported. I have the following exceptions (applied by policy, screenshot from server) Do you have some additional ideas? Thanks! Link to comment Share on other sites More sharing options...
ESET Staff Solution MichalJ 434 Posted May 3, 2016 ESET Staff Solution Share Posted May 3, 2016 (edited) I have checked with developers, try to configure exclusions as: \Device\HarddiskVolumeShadowCopy?\ProgramData\Druva\inSyncCloud\inSyncServer4\* \Device\HarddiskVolumeShadowCopy??\ProgramData\Druva\inSyncCloud\inSyncServer4\* Please let us know, if it helped. Also, if you are using the ESET File Security, which supports the process exclusions, you should set a process exclusion by a full path to the "beremote.exe", as that is the process you would like to exclude. Btw, what is the name of the backup software you are using? We would like to replicate the issues you are experiencing, to improve how product handles / processes the exclusions, and how we communicate it to the users. Edited May 3, 2016 by MichalJ Link to comment Share on other sites More sharing options...
Palps 3 Posted May 3, 2016 Author Share Posted May 3, 2016 I have checked with developers, try to configure exclusions as: \Device\HarddiskVolumeShadowCopy?\ProgramData\Druva\inSyncCloud\inSyncServer4\* \Device\HarddiskVolumeShadowCopy??\ProgramData\Druva\inSyncCloud\inSyncServer4\* Please let us know, if it helped. Also, if you are using the ESET File Security, which supports the process exclusions, you should set a process exclusion by a full path to the "beremote.exe", as that is the process you would like to exclude. Btw, what is the name of the backup software you are using? We would like to replicate the issues you are experiencing, to improve how product handles / processes the exclusions, and how we communicate it to the users. Thank you for your answer. Very appreciate it. I adapted the exceptions like you proposed. I will check tomorrow morning again if the threat was found again. I don't want to exclude the whole "beremote.exe" process because this is doing the backup and maybe it will detect some other threats also. We are using Symantec Backup Exec. The backup is running during the night and on the next morning I have the threat alerts on our client backup server due to the eicar test files reported by the real-time file system protection. Link to comment Share on other sites More sharing options...
Palps 3 Posted May 9, 2016 Author Share Posted May 9, 2016 I have checked with developers, try to configure exclusions as: \Device\HarddiskVolumeShadowCopy?\ProgramData\Druva\inSyncCloud\inSyncServer4\* \Device\HarddiskVolumeShadowCopy??\ProgramData\Druva\inSyncCloud\inSyncServer4\* Please let us know, if it helped. This solved the problem with the shadow copies. Thank you very much for your support! Link to comment Share on other sites More sharing options...
Recommended Posts