Pierre 0 Posted September 9, 2013 Posted September 9, 2013 I have ESET File Security for Microsoft® Windows® Server 4.5.12011 installed on server and I try with remote administration v5.0.511 to create policy with some file exclusion using OS environment variable. it seem that is not working, I have to use the absolute path. But automatic file exclusion use Environment variable and is working.
Administrators Marcos 5,451 Posted September 9, 2013 Administrators Posted September 9, 2013 System variables should work, user variables not as they are not available in the local system account.
Pierre 0 Posted September 9, 2013 Author Posted September 9, 2013 Do you see a problem with this execption list: %systemroot%\Sysvol\Domain\*\*.adm%systemroot%\Sysvol\Domain\*\*.admx%systemroot%\Sysvol\Domain\*\*.adml%systemroot%\Sysvol\Domain\*\Registry.pol%systemroot%\Sysvol\Domain\*\*.aas%systemroot%\Sysvol\Domain\*\*.inf%systemroot%\Sysvol\Domain\*\Fdeploy.inf%systemroot%\Sysvol\Domain\*\Scripts.ini%systemroot%\Sysvol\Domain\*\*.ins%systemroot%\Sysvol\Domain\*\Oscfilter.ini I also try to replace the %SYSTEMROOT% by %WINDIR% its not working either. but when I replace the variable by c:\wiidows......its working. Can you test this on your side.
karlisi 26 Posted September 10, 2013 Posted September 10, 2013 There are exclusions already defined in default ERAS policies, they are the same you try to write. See under Windows Server 4.5 -> Server protection -> Server -> Automatic exclusions. These rules will make correct exclusions no matter you have your AD folders in Windows directory or on separate partition.
Pierre 0 Posted September 10, 2013 Author Posted September 10, 2013 If I not mistaken the ESET Automatic Exception List doesn't point at %systemroot%\Sysvol\Domain but at %systemroot%\Sysvol\Sysvol
karlisi 26 Posted September 11, 2013 Posted September 11, 2013 (edited) OK, you are right. Tested your exclusions, not working for me also. Found this hxxp://www.wilderssecurity.com/showpost.php?p=2043414&postcount=6 Re: Setting Exceptions, wildcards and system variables. I asked ESET's tech support the same question and here is part of their reply.So it looks like v5 will be able to handle this. For now I manually added the exceptions for each staff member (20), but once v5 is available this should be easier to configure properly. -------Thank you for contacting ESET Customer Care.Unfortunately environment variables are not supported in ESET 4.x or below products. ESET version 5 products will be supporting Environment variables. Currently the only variables ESET recognises are "*" and "?" without the "". ESET File Security major version is 4 and, despite what Marcos is saying later in that thread from Wilders Security, system variables don't work on EFSW 4.5. Edited September 11, 2013 by karlisi
karlisi 26 Posted September 11, 2013 Posted September 11, 2013 If I not mistaken the ESET Automatic Exception List doesn't point at %systemroot%\Sysvol\Domain but at %systemroot%\Sysvol\Sysvol As of your exclusions, you want to exclude exactly the same files which are in ESET automatic exclusions. %systemroot%\Sysvol\Domain leads to the same place as %systemroot%\Sysvol\Sysvol\<your domain name>\
Pierre 0 Posted September 11, 2013 Author Posted September 11, 2013 You are right, I was not take the time to check that before trying to implement these exclusion, they effectively leading to the same place. Thanks, also I receive an email from ESET support about the issue on using system variable in File Security for Microsoft® Windows® Server 4.5. You can see below, a small part of the email: We can now confirm that it is not possible to create an exclusion in format %windir%\*.* in server products (v4 branch), however it is possible to do that in Endpoint products (v5).A request to add this option in v5 of server products has been sent to development. PS: they mean V4
Pierre 0 Posted September 11, 2013 Author Posted September 11, 2013 Before implementing this antivirus on my DC. I create an Virtual Env. to test it. I think the automatic exclusion is not good, because If I understand correctly how the exclusion work is: For example: The automatic exclusion add this rule: %systemroot%\Sysvol\Sysvol\*.inf This mean that all INF file in the current folder (not subfolder) are excluded. but what we need is all subfolder, not only the current folder. the rule should be: %systemroot%\Sysvol\Sysvol\*\*.inf the /* mean all subfolder I am wrong..? what I don't understand in the rule that is create by the automatic exclusion list (for DC)
karlisi 26 Posted September 12, 2013 Posted September 12, 2013 You are right, seems like bug in ESET RA.
karlisi 26 Posted January 3, 2014 Posted January 3, 2014 (edited) In these 3 months had some exchange of emails between me and ESET Latvian support. I gave them some additional information and that's all, no feedback. Still waiting and hope someone on ESET is working on this problem. Edited January 3, 2014 by karlisi
karlisi 26 Posted January 13, 2014 Posted January 13, 2014 Received answer from ESET support. This bug will be fixed in next ERAS version.
karlisi 26 Posted February 14, 2014 Posted February 14, 2014 (edited) Sorry to say, in ERAS 5.1.38, released yesterday, bug still not fixed, exclusions for Windows AD controllers are wrong. Edited February 14, 2014 by karlisi
Administrators Marcos 5,451 Posted February 14, 2014 Administrators Posted February 14, 2014 For me system variables work fine even with older versions of ERA and Endpoint. I've pushed a configuration with %windir%\* excluded and eicar wasn't detected in c:\windows afterwards. However, this doesn't work with v4 so we can conclude that using system variables for exclusions in configuration files was first supported in Endpoint products.
karlisi 26 Posted February 17, 2014 Posted February 17, 2014 System variables in exclusionsin general are OK. Perhaps I should start new thread for this problem, bug in default exclusions for Windows Active Directory domain controllers.
Recommended Posts