Jump to content

Can't use Environement Variable for File Exclusion


Recommended Posts

I have ESET File Security for Microsoft® Windows® Server 4.5.12011 installed on server and I try with remote administration v5.0.511

to create policy with some file exclusion using OS environment variable. it seem that is not working, I have to use the absolute path.

 

But automatic file exclusion use Environment variable and is working.

 

Link to comment
Share on other sites

Do you see a problem with this execption list:

 

%systemroot%\Sysvol\Domain\*\*.adm
%systemroot%\Sysvol\Domain\*\*.admx
%systemroot%\Sysvol\Domain\*\*.adml
%systemroot%\Sysvol\Domain\*\Registry.pol
%systemroot%\Sysvol\Domain\*\*.aas
%systemroot%\Sysvol\Domain\*\*.inf
%systemroot%\Sysvol\Domain\*\Fdeploy.inf
%systemroot%\Sysvol\Domain\*\Scripts.ini
%systemroot%\Sysvol\Domain\*\*.ins
%systemroot%\Sysvol\Domain\*\Oscfilter.ini

 

 

I also try to replace the %SYSTEMROOT% by %WINDIR%

 

its not working either.

 

but when I replace the variable by c:\wiidows......its working.

 

Can you test this on your side.

Link to comment
Share on other sites

There are exclusions already defined in default ERAS policies, they are the same you try to write. See under Windows Server 4.5 -> Server protection -> Server -> Automatic exclusions. These rules will make correct exclusions no matter you have your AD folders in Windows directory or on separate partition.

Link to comment
Share on other sites

OK, you are right.

 

Tested your exclusions, not working for me also.

 

Found this

hxxp://www.wilderssecurity.com/showpost.php?p=2043414&postcount=6

 

Re: Setting Exceptions, wildcards and system variables.

I asked ESET's tech support the same question and here is part of their reply.

So it looks like v5 will be able to handle this. For now I manually added the exceptions for each staff member (20), but once v5 is available this should be easier to configure properly.

-------
Thank you for contacting ESET Customer Care.
Unfortunately environment variables are not supported in ESET 4.x or below products. ESET version 5 products will be supporting Environment variables. Currently the only variables ESET recognises are "*" and "?" without the "".

 

ESET File Security major version is 4 and, despite what Marcos is saying later in that thread from Wilders Security, system variables don't work on EFSW 4.5.

Edited by karlisi
Link to comment
Share on other sites

If I not mistaken the ESET Automatic Exception List doesn't point at %systemroot%\Sysvol\Domain but at %systemroot%\Sysvol\Sysvol

 

As of your exclusions, you want to exclude exactly the same files which are in ESET automatic exclusions.

%systemroot%\Sysvol\Domain leads to the same place as %systemroot%\Sysvol\Sysvol\<your domain name>\

Link to comment
Share on other sites

You are right, I was not take the time to check that before trying to  implement these exclusion, they effectively leading to the same place.

 

Thanks, also I receive an email from ESET support about the issue on using system variable in File Security for Microsoft® Windows® Server 4.5.

 

You can see below, a small part of the email:

 

We can now confirm that it is not possible to create an exclusion in format %windir%\*.* in server products (v4 branch), however it is possible to do that in Endpoint products (v5).

A request to add this option in v5 of server products has been sent to development.

 

 

PS: they mean V4

Link to comment
Share on other sites

Before implementing this antivirus on my DC. I create an Virtual Env. to test it.

 

I think  the automatic exclusion is not good, because If I understand correctly how the exclusion work is:

 

For example:

 

The automatic exclusion add  this rule:

 

%systemroot%\Sysvol\Sysvol\*.inf

 

This mean that all  INF file in the current folder (not subfolder) are excluded.

 

but what we need is all subfolder, not only the current folder. the rule should be:

 

%systemroot%\Sysvol\Sysvol\*\*.inf

 

 

the /*  mean all subfolder

 

 

I am wrong..?   what I don't understand in the rule that is create by  the automatic exclusion list (for DC)

Link to comment
Share on other sites

  • 3 months later...

In these 3 months had some exchange of emails between me and ESET Latvian support. I gave them some additional information and that's all, no feedback. Still waiting and hope someone on ESET is working on this problem.

Edited by karlisi
Link to comment
Share on other sites

  • 2 weeks later...
  • 1 month later...

Sorry to say, in ERAS 5.1.38, released yesterday, bug still not fixed, exclusions for Windows AD controllers are wrong.

Edited by karlisi
Link to comment
Share on other sites

  • Administrators

For me system variables work fine even with older versions of ERA and Endpoint. I've pushed a configuration with %windir%\* excluded and eicar wasn't detected in c:\windows afterwards.

However, this doesn't work with v4 so we can conclude that using system variables for exclusions in configuration files was first supported in Endpoint products.

Link to comment
Share on other sites

System variables in exclusionsin general are OK. Perhaps I should start new thread for this problem, bug in default exclusions for Windows Active Directory domain controllers.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...