Loading...

Knowledge Center


How to manage file and folder exclusions in VirusScan Enterprise 8.x using wildcards
Technical Articles ID:   KB50998
Last Modified:  4/8/2017
Rated:


Environment

McAfee VirusScan Enterprise (VSE) 8.x

Summary

This article provides guidance on creating file and folder exclusions with VSE.
 
NOTE: 
  • The file and folder exclusions detailed in this article are not applicable to Potentially Unwanted Programs (PUPs). PUP exclusions can only be set for specific detection names.
  • If your computer is managed by ePolicy Orchestrator (ePO), the instructions below must be applied through ePO. Applying the instructions locally on an ePO-managed computer will result in your changes being overwritten.

Solution

Create an exclusion:
  1. Click Start, Programs, McAfee, VirusScan Console.
  2. Right-click On-Access Scanner and select Properties.
  3. Click All Processes, Detection, Exclusions.

When setting exclusions, there are two wildcard exclusion symbols used in VSE from version 8.0 onwards:
  • Single asterisk: *
  • Double asterisk: **
The sections below explain how to use these wildcards correctly.

NOTE: Exclusions are not case-sensitive; however, if you are using environment variables in the exclusion, it is best practice to type these in lowercase.

Solution

Single asterisk
 
  • Directory exclusions
    A single asterisk (*) wildcard can be used to denote single directory names.

    For example, the exclusion: c:\directory1\*\directory2\ would exclude all of the following folders:

    c:\directory1\shandy\directory2\
    c:\directory1\roger\directory2\
    c:\directory1\tiger\directory2\
    c:\directory1\thomas\directory2\


    NOTE:
    • Trailing backslashes are mandatory for folder exclusions to work successfully.
    • Without the ending backslash, VSE and ePO will treat the entry as a file exclusion.
    • If no backslash is used when configuring VSE locally, the Include subfolders option remains grayed out. Care is needed when configuring folder exclusions via ePO because the Include subfolders option does not gray out.
       
      Earlier versions would inadvertently allow selecting this option even when no backslash was used.
       
  • File exclusions
    A single asterisk (*) wildcard can be used to denote partial filename matches or wildcard extension matches, for example:
c:\windows\abc*.rtf
c:\windows\abc.*


Do not use trailing backslashes for filename matches. Doing so results in VSE excluding the wrong items. To clarify this important point, examine the following two examples:
c:\windows\abc
c:\windows\abc\



The first exclusion would be treated as a filename, and the second would be treated as a directory.

Solution

Double Asterisk
  • Directory exclusions
    Double asterisks (**) allow a wider folder exclusion called a Multiple Depth Exclusion. These are exclusions where the same target folder name may occur multiple times in subfolders originating from a common folder.

    Example: A thumbnail directory called thumbs can exist under one or more subfolders at any depth in the folder structure of a photo application:

    c:\program files\photo-program\library\animals\thumbs\
    c:\program files\photo-program\library\clothes\tshirts\thumbs\
    c:\program files\photo-program\library\clothes\trousers\thumbs\
    c:\program files\photo-program\library\clothes\trousers\green\thumbs\

    The following example uses a double asterisk to exclude the contents of any folder named thumbs under the library folder of the photo application:

    c:\program files\photo-program\library\**\thumbs\


    NOTE: Include a trailing backslash to ensure that VSE handles thumbs as a folder and not a file.
     
Extensions
  • Extension exclusions
    McAfee recommends that you use exclude item by file type to exclude all files with a specific extension, such as those created and used exclusively by a single application. This excludes only the required file types and has the least impact on system performance.

    A common error when configuring exclusions for file extensions is to exclude extensions in the same way as file and folder exclusions. For example, if an application writes data to files with the extensions SRTT and SRTS, it may at first seem logical to create the following exclusions:

    **\*.SRTT (to exclude all files with SRTT extension in any directory or sub-directory)
    **\*.SRTS (to exclude all files with SRTS extension in any directory or sub-directory)


    These exclusions work, but can have a negative effect on performance. A large list of individual exclusions is also more difficult to manage. In this example, it is far more efficient to add a new File Type exclusion for SRT only.

    SRT (exclude all files with an extension starting with SRT in any directory or sub-directory) 
     

    IMPORTANT:
     
    • There is a three-character limit to excluded File Type extensions.
    • The three-letter extension limitation is automatically enforced when you enter the extension to exclude.
    • All files with extensions starting with SRT will be excluded despite the three-character limitation. In this example, this includes .SRTT and .SRTS. 

Solution

Question Mark
The question mark (?) is used for single character replacement within filenames and folders. This wildcard character gives you a finer degree control over exclusions. 
  • Directory exclusions

    You might need to exclude a series of sequentially named sub-folders without excluding the contents of the parent folder.

    Example:

    C:\program files\application\cache\tmp1\
    C:\program files\application\cache\tmp2\
    C:\program files\application\cache\tmp3\
    C:\program files\application\cache\tmp4\


    The best method for this exclusion would be to create the following exclusion:

    c:\program files\application\cache\tmp?\


    This excludes any folders below the cache folder that match tmp? (in this example, tmp1, tmp2, tmp3 and tmp4).

     
  • File extension exclusions
    You can use the wildcard for any of the three characters, so the following would be valid:
AB?
A?C
?BC



Although it is possible to use two question mark wildcards (??) as shown below, McAfee does not recommend this because the scope of the exclusion is too broad:
A??
??C
?B?

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.