Potentially unwanted programs continue to be detected when excluded by name only

Technical Articles ID: KB50383
Last Modified: 7/21/2020

Environment

McAfee VirusScan Enterprise (VSE) 8.x

For details of VSE 8.x supported environments, see KB51111.

Problem

Potentially unwanted programs that have been excluded in the Unwanted Programs Policy continue to be detected. They are detected even though the correct file name has been used to exclude the flagged unwanted program.

Problem

Current DAT files contain a driver for detection of what product development team has deemed an unwanted program.

Problem

You are unable to exclude a Remote Administration Program via the Unwanted Programs Policy.

Cause

The addition of exclusions for unwanted programs by file name or by directory does not work. Although the VSE 8.x Product Guide tells you to specify the exact name of the file or program to exclude detection, you must also exclude the name of the process for exclusion to work correctly.

When you install some utilities used for legitimate reasons, such as remote administration tools, VSE might detect the utilities as PUPs due to the way they might have been used with malware. After a utility is installed and a detection occurs, it is written to two different logs depending on how the detection happened. Separate logs are created for the on-access scanner and the on-demand scanner:

OnAccessScanlog.txt
Ondemandscanlog.txt

Default log location: c:\documents and settings\all users\application data\McAfee\virusscan

Example of a log entry for a potentially unwanted program detection TightVNC:

3/6/2007 4:50:17 PM No Action Taken ??????????\\administrator C:\WINDOWS\Explorer.EXE C:\Program Files\TightVNC\vncviewer.exe RemAdm-TightVNC (Remote Admin Tool)

Analysis of the Log information

vncviewer.exe	File name
RemAdm-TightVNC	Detection name contained in the DAT
(Remote Admin Tool)	Group this Unwanted Program is associated with in the DAT

Solution

To add the correct exclusion for the Unwanted Program, look in the On-Access or On-Demand log file for the detection name at the time that the detection triggered.

Example: A detection for TightVNC:

3/6/2007 4:50:17 PM No Action Taken ??????????\\administrator C:\WINDOWS\Explorer.EXE C:\Program Files\TightVNC\vncviewer.exe RemAdm-TightVNC (Remote Admin Tool)

Solution

Exclude a single detection

Identify the detection name in the VSE log file using the file name:
1. To identify the detection name, locate the VSE On-Access (OnAccessScanlog.txt) or On-Demand (Ondemandscanlog.txt) log file.
  
  Default log location: c:\documents and settings\all users\application data\McAfee\virusscan
2. Search for the file name to locate the detection name that must be excluded.
  
  Example file name: vncviewer.exe
  
  Example VSE log entry:
  3/6/2007 4:50:17 PM No Action Taken ??????????\\administrator C:\WINDOWS\Explorer.EXE C:\Program Files\TightVNC\vncviewer.exe RemAdm-TightVNC (Remote Admin Tool)
  
  The detection name in this example is: RemAdm-TightVNC.
Add the detection name as an exclusion:
1. Click Start, Programs, McAfee, VirusScan Console.
2. Right-click Unwanted Programs Policy and select Properties.
3. On the Detection tab in the lower-right corner, click Exclusions.
4. In the Set Unwanted Program Exclusions window, click Add.
5. In the Unwanted Program Exclusions window, type the detection name.
  
  Example: RemAdm-TightVNC
  
  Click Browse and select the detection name from the displayed list of PUPs and click OK. You can refine the list of displayed names by selecting only the required Group in the Filter List. Make sure that you select the other groups again after you locate and select the detection name.
6. Click OK.
7. Click OK.
8. Click Apply, and click OK.

Solution

Exclude a Category (PUP Group)
It is possible to make broader exclusions. For security purposes, The product development team recommends that you keep exclusions to minimum.

WARNING: Allowing entire categories of programs is potentially dangerous and is entirely at your own risk.

To disable Unwanted Program detections by category:

Click Start, Programs, McAfee, VirusScan Console.
Right-click Unwanted Programs Policy and select Properties.
Deselect the category to be excluded.

Available categories:
- Spyware
- Adware
- Remote Administration Tools
- Dialers
- Password crackers
- Jokes
- Keylogger
- Other Potentially Unwanted Programs
Click Apply and then click Close.
Exit the VirusScan Console.

Related Information

Related articles about exclusions:

KB52744 - On Access Scanner exclusions with variable %ProgramFiles% defaults to %ProgramFiles(x86)% on a 64-bit operating system
KB54812 - How to use wildcards when creating exclusions in VirusScan Enterprise 8.x
KB79589 - How to make On Access Scanner (real-time) exclusions more secure

Affected Products

VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Potentially unwanted programs continue to be detected when excluded by name only

Environment

Problem

Problem

Problem

Cause

Solution

Solution

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Potentially unwanted programs continue to be detected when excluded by name only

Environment

Problem

Problem

Problem

Cause

Solution

Solution

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title