Can't use Environement Variable for File Exclusion

[Pierre 0]

I have ESET File Security for Microsoft® Windows® Server 4.5.12011 installed on server and I try with remote administration v5.0.511

to create policy with some file exclusion using OS environment variable. it seem that is not working, I have to use the absolute path.

 

But automatic file exclusion use Environment variable and is working.

 

[Marcos 5,074]

System variables should work, user variables not as they are not available in the local system account.

[Pierre 0]

Do you see a problem with this execption list:

 

%systemroot%\Sysvol\Domain\*\*.adm
%systemroot%\Sysvol\Domain\*\*.admx
%systemroot%\Sysvol\Domain\*\*.adml
%systemroot%\Sysvol\Domain\*\Registry.pol
%systemroot%\Sysvol\Domain\*\*.aas
%systemroot%\Sysvol\Domain\*\*.inf
%systemroot%\Sysvol\Domain\*\Fdeploy.inf
%systemroot%\Sysvol\Domain\*\Scripts.ini
%systemroot%\Sysvol\Domain\*\*.ins
%systemroot%\Sysvol\Domain\*\Oscfilter.ini

 

 

I also try to replace the %SYSTEMROOT% by %WINDIR%

 

its not working either.

 

but when I replace the variable by c:\wiidows......its working.

 

Can you test this on your side.

[karlisi 26]

There are exclusions already defined in default ERAS policies, they are the same you try to write. See under Windows Server 4.5 -> Server protection -> Server -> Automatic exclusions. These rules will make correct exclusions no matter you have your AD folders in Windows directory or on separate partition.

[Pierre 0]

If I not mistaken the ESET Automatic Exception List doesn't point at %systemroot%\Sysvol\Domain but at %systemroot%\Sysvol\Sysvol

[karlisi 26]

OK, you are right.

 

Tested your exclusions, not working for me also.

 

Found this

hxxp://www.wilderssecurity.com/showpost.php?p=2043414&postcount=6

 

Re: Setting Exceptions, wildcards and system variables.

I asked ESET's tech support the same question and here is part of their reply.

So it looks like v5 will be able to handle this. For now I manually added the exceptions for each staff member (20), but once v5 is available this should be easier to configure properly.

-------
Thank you for contacting ESET Customer Care.
Unfortunately environment variables are not supported in ESET 4.x or below products. ESET version 5 products will be supporting Environment variables. Currently the only variables ESET recognises are "*" and "?" without the "".

 

ESET File Security major version is 4 and, despite what Marcos is saying later in that thread from Wilders Security, system variables don't work on EFSW 4.5.

Edited September 11, 2013 by karlisi

[karlisi 26]

If I not mistaken the ESET Automatic Exception List doesn't point at %systemroot%\Sysvol\Domain but at %systemroot%\Sysvol\Sysvol

 

As of your exclusions, you want to exclude exactly the same files which are in ESET automatic exclusions.

%systemroot%\Sysvol\Domain leads to the same place as %systemroot%\Sysvol\Sysvol\<your domain name>\

[Pierre 0]

You are right, I was not take the time to check that before trying to  implement these exclusion, they effectively leading to the same place.

 

Thanks, also I receive an email from ESET support about the issue on using system variable in File Security for Microsoft® Windows® Server 4.5.

 

You can see below, a small part of the email:

 

We can now confirm that it is not possible to create an exclusion in format %windir%\*.* in server products (v4 branch), however it is possible to do that in Endpoint products (v5).

A request to add this option in v5 of server products has been sent to development.

 

 

PS: they mean V4

[Pierre 0]

Before implementing this antivirus on my DC. I create an Virtual Env. to test it.

 

I think  the automatic exclusion is not good, because If I understand correctly how the exclusion work is:

 

For example:

 

The automatic exclusion add  this rule:

 

%systemroot%\Sysvol\Sysvol\*.inf

 

This mean that all  INF file in the current folder (not subfolder) are excluded.

 

but what we need is all subfolder, not only the current folder. the rule should be:

 

%systemroot%\Sysvol\Sysvol\*\*.inf

 

 

the /*  mean all subfolder

 

 

I am wrong..?   what I don't understand in the rule that is create by  the automatic exclusion list (for DC)

[karlisi 26]

You are right, seems like bug in ESET RA.

[karlisi 26]

Case sent to Customer Support

[karlisi 26]

In these 3 months had some exchange of emails between me and ESET Latvian support. I gave them some additional information and that's all, no feedback. Still waiting and hope someone on ESET is working on this problem.

Edited January 3, 2014 by karlisi

[karlisi 26]

Received answer from ESET support. This bug will be fixed in next ERAS version.

[karlisi 26]

Sorry to say, in ERAS 5.1.38, released yesterday, bug still not fixed, exclusions for Windows AD controllers are wrong.

Edited February 14, 2014 by karlisi

[Marcos 5,074]

For me system variables work fine even with older versions of ERA and Endpoint. I've pushed a configuration with %windir%\* excluded and eicar wasn't detected in c:\windows afterwards.

However, this doesn't work with v4 so we can conclude that using system variables for exclusions in configuration files was first supported in Endpoint products.

[karlisi 26]

System variables in exclusionsin general are OK. Perhaps I should start new thread for this problem, bug in default exclusions for Windows Active Directory domain controllers.