Potentially Unwanted Programs continue to be detected when excluded by name only

Technical Articles ID: KB50383
Last Modified: 4/7/2017

Environment

McAfee VirusScan Enterprise (VSE) 8.x

For details of VSE 8.x supported environments, see KB51111.

Problem

Potentially Unwanted Programs (PUPs) that have been excluded in the Unwanted Programs Policy continue to be detected even though the correct filename has been used to exclude the flagged unwanted program.

Problem

Current DAT files contain a driver for detection of what product development team has deemed an unwanted program.

Problem

Unable to exclude a Remote Administration Program via Unwanted Programs Policy.

Cause

Adding exclusions for unwanted programs by filename or by directory does not work. Although the VSE 8.x Product Guide tells users to specify the exact name of the file or program to exclude detection, you must also exclude the name of the process for exclusion to work correctly.

When installing some utilities used for legitimate reasons, such as remote administration tools, VSE may detect these as PUPs due to the way they may have be used in conjunction with malware. After a utility is installed and a detection occurs, it is written to two different logs depending on how the detection happened. Separate logs are created for the On-Access Scanner and the On-Demand Scanner:

OnAccessScanlog.txt
Ondemandscanlog.txt

Default log location: c:\documents and settings\all users\application data\McAfee\virusscan

Example of a log entry for a PUP detection TightVNC:

3/6/2007 4:50:17 PM No Action Taken ??????????\\administrator C:\WINDOWS\Explorer.EXE C:\Program Files\TightVNC\vncviewer.exe RemAdm-TightVNC (Remote Admin Tool)

Analysis of the Log information

vncviewer.exe	Filename
RemAdm-TightVNC	Detection name contained in the DAT
(Remote Admin Tool)	Group this Unwanted Program is associated with in the DAT

Solution

To add the correct exclusion for the Unwanted Program, look in the On-Access or On-Demand log file for the detection name at the time that the detection triggered.

Example: This is a detection for TightVNC.

3/6/2007 4:50:17 PM No Action Taken ??????????\\administrator C:\WINDOWS\Explorer.EXE C:\Program Files\TightVNC\vncviewer.exe RemAdm-TightVNC (Remote Admin Tool)

Solution

Exclude a single detection

Identify the detection name in the VSE log file using the filename:
1. To identify the detection name, locate the VSE On-Access (OnAccessScanlog.txt) or On-Demand (Ondemandscanlog.txt) log file.
  
  Default log location: c:\documents and settings\all users\application data\McAfee\virusscan
2. Search for the file name to locate the detection name that should be excluded.
  
  Example filename: vncviewer.exe
  
  Example VSE log entry:
  3/6/2007 4:50:17 PM No Action Taken ??????????\\administrator C:\WINDOWS\Explorer.EXE C:\Program Files\TightVNC\vncviewer.exe RemAdm-TightVNC (Remote Admin Tool)
  
  The detection name in this example is: RemAdm-TightVNC.
Add the detection name as an exclusion:
1. Click Start, Programs, McAfee, VirusScan Console.
2. Right-click Unwanted Programs Policy and select Properties.
3. On the Detection tab in the lower-right corner, click Exclusions.
4. In the Set Unwanted Program Exclusions window, click Add.
5. In the Unwanted Program Exclusions window type the detection name.
  
  Example: RemAdm-TightVNC
  
  Alternatively click Browse and select the detection name from the displayed list of PUPs and click OK. You can refine the list of displayed names by selecting only the required Group in the Filter List. Ensure that you select the other groups again after you locate and select the detection name.
6. Click OK to close the Unwanted Program Exclusions window.
7. Click OK to close the Set Unwanted Program Exclusions dialog.
8. Click Apply, OK to close the Unwanted Programs Policy.

Solution

Exclude a Category (PUP Group)
It is possible to make broader exclusions. For security purposes, The product development team recommends that you keep exclusions to an absolute minimum.

WARNING: Allowing entire categories of programs is potentially very dangerous and is entirely at your own risk.

To disable Unwanted Program detections by category:

Click Start, Programs, McAfee, VirusScan Console.
Right-click Unwanted Programs Policy and select Properties.
Deselect the category to be excluded.

Available categories:
- Spyware
- Adware
- Remote Administration Tools
- Dialers
- Password crackers
- Jokes
- Key Loggers
- Other Potentially Unwanted Programs
Click Apply and then click Close.
Exit the VirusScan Console.

Related Information

Related articles about exclusions:

KB52744 - On Access Scanner exclusions with variable %ProgramFiles% defaults to %ProgramFiles(x86)% on a 64-bit operating system
KB54812 - How to use wildcards when creating exclusions in VirusScan Enterprise 8.x
KB79589 - How to make On Access Scanner (real-time) exclusions more secure

Affected Products

VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Potentially Unwanted Programs continue to be detected when excluded by name only

Environment

Problem

Problem

Problem

Cause

Solution

Solution

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Featured Solutions

Explore Our Portfolio

Security Outcomes

Industries

Products

Featured Solutions

Explore Our Portfolio

MVISION Products

Services & Training

Threat Research

Our Researchers

Threat Landscape Dashboard

Tools

Contact Us

Resources

Downloads

Product Help

Connect with Us

Explore

Our Company

Our Efforts

Other Resources

Careers

Partnerships

Potentially Unwanted Programs continue to be detected when excluded by name only

Environment

Problem

Problem

Problem

Cause

Solution

Solution

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title