Loading...

Knowledge Center

Potentially Unwanted Programs continue to be detected when excluded by name only
Technical Articles ID:   KB50383
Last Modified:  4/7/2017
Rated:

Environment

McAfee VirusScan Enterprise (VSE) 8.x

For details of VSE 8.x supported environments, see KB51111.

Problem

Potentially Unwanted Programs (PUPs) that  have been excluded in the Unwanted Programs Policy continue to be detected even though the correct filename has been used to exclude the flagged unwanted program.

Problem

Current DAT files contain a driver for detection of what product development team has deemed an unwanted program.

Problem

Unable to exclude a Remote Administration Program via Unwanted Programs Policy.

Cause

Adding exclusions for unwanted programs by filename or by directory does not work. Although the VSE 8.x Product Guide tells users to specify the exact name of the file or program to exclude detection, you must also exclude the name of the process for exclusion to work correctly.
 
When installing some utilities used for legitimate reasons, such as remote administration tools, VSE may detect these as PUPs due to the way they may have be used in conjunction with malware. After a utility is installed and a detection occurs, it is written to two different logs depending on how the detection happened. Separate logs are created for the On-Access Scanner and the On-Demand Scanner:
  • OnAccessScanlog.txt
  • Ondemandscanlog.txt
Default log location: c:\documents and settings\all users\application data\McAfee\virusscan

Example of a log entry for a PUP detection TightVNC:

3/6/2007 4:50:17 PM No Action Taken ??????????\\administrator C:\WINDOWS\Explorer.EXE C:\Program Files\TightVNC\vncviewer.exe RemAdm-TightVNC (Remote Admin Tool)

Analysis of the Log information
vncviewer.exe                   Filename
RemAdm-TightVNC Detection name contained in the DAT
(Remote Admin Tool) Group this Unwanted Program is associated with in the DAT

Solution

To add the correct exclusion for the Unwanted Program, look in the On-Access or On-Demand log file for the detection name at the time that the detection triggered.

Example: This is a detection for TightVNC.
3/6/2007 4:50:17 PM No Action Taken ??????????\\administrator C:\WINDOWS\Explorer.EXE C:\Program Files\TightVNC\vncviewer.exe RemAdm-TightVNC (Remote Admin Tool)

Solution

Exclude a single detection
  1. Identify the detection name in the VSE log file using the filename:
     
    1. To identify the detection  name, locate the VSE On-Access (OnAccessScanlog.txt) or On-Demand (Ondemandscanlog.txt) log file.
       
      Default log location: c:\documents and settings\all users\application data\McAfee\virusscan
       
    2. Search for the file name to locate the detection name that should be excluded.
       
      Example filename: vncviewer.exe
       
      Example VSE log entry:
      3/6/2007 4:50:17 PM No Action Taken ??????????\\administrator C:\WINDOWS\Explorer.EXE C:\Program Files\TightVNC\vncviewer.exe RemAdm-TightVNC (Remote Admin Tool)
       
      The detection name in this example is: RemAdm-TightVNC.
       
  2. Add the detection name as an exclusion:
     
    1. Click Start, Programs, McAfee, VirusScan Console.
    2. Right-click Unwanted Programs Policy and select Properties.
    3. On the Detection tab in the lower-right corner, click Exclusions.
    4. In the Set Unwanted Program Exclusions window, click Add.
    5. In the Unwanted Program Exclusions window type the detection name.
       
      Example: RemAdm-TightVNC
       
      Alternatively click Browse and select the detection name from the displayed list of PUPs and click OK. You can refine the list of displayed names by selecting only the required Group in the Filter List. Ensure that you select the other groups again after you locate and select the detection name.
       
    6. Click OK to close the Unwanted Program Exclusions window.
    7. Click OK to close the Set Unwanted Program Exclusions dialog.
    8. Click Apply, OK to close the Unwanted Programs Policy.

Solution

Exclude a Category (PUP Group)
It is possible to make broader exclusions. For security purposes, The product development team recommends that you keep exclusions to an absolute minimum.

WARNING: Allowing entire categories of programs is potentially very dangerous and is entirely at your own risk.

To disable Unwanted Program detections by category:  
  1. Click Start, Programs, McAfee, VirusScan Console
  2. Right-click Unwanted Programs Policy and select Properties.
  3. Deselect the category to be excluded.

    Available categories:
     
    • Spyware
    • Adware
    • Remote Administration Tools
    • Dialers
    • Password crackers
    • Jokes
    • Key Loggers
    • Other Potentially Unwanted Programs
       
  4. Click Apply and then click Close.
  5. Exit the VirusScan Console.

Related Information

Related articles about exclusions:
  • KB52744 - On Access Scanner exclusions with variable %ProgramFiles% defaults to %ProgramFiles(x86)% on a 64-bit operating system
  • KB54812 - How to use wildcards when creating exclusions in VirusScan Enterprise 8.x
  • KB79589 - How to make On Access Scanner (real-time) exclusions more secure

Rate this document

Affected Products

VirusScan Enterprise 8.8

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.