How to manage file and folder exclusions in VirusScan Enterprise 8.x using wildcards

Technical Articles ID:   KB50998
Last Modified:  1/3/2020

Environment

McAfee VirusScan Enterprise (VSE) 8.x

Summary

This article provides guidance on creating file and folder exclusions with VSE.
 
NOTE: 
  • The file and folder exclusions detailed in this article are not applicable to Potentially Unwanted Programs (PUPs). PUP exclusions can only be set for specific detection names.
  • If ePolicy Orchestrator (ePO) manages your computer, the instructions below must be applied through ePO. Applying the instructions locally on an ePO-managed computer results in your changes being overwritten.

Solution

Create an exclusion:
  1. Click Start, Programs, McAfee, VirusScan Console.
  2. Right-click On-Access Scanner and select Properties.
  3. Click All Processes, Detection, Exclusions.

When setting exclusions, there are two wildcard exclusion symbols used in VSE:
  • Single asterisk: *
  • Double asterisk: **
The sections below explain how to use these wildcards correctly.

NOTE: Exclusions are not case sensitive. But, if you are using environment variables in the exclusion, it is best practice to type these variables in lowercase.

Solution

Single asterisk
 
  • Directory exclusions
    A single asterisk (*) wildcard can be used to denote single directory names.

    For example, the exclusion c:\directory1\*\directory2\ would exclude all the following folders:

    c:\directory1\shandy\directory2\
    c:\directory1\roger\directory2\
    c:\directory1\tiger\directory2\
    c:\directory1\thomas\directory2\



    NOTE:
    • Trailing backslashes are mandatory for folder exclusions to work successfully.
    • Without the ending backslash, VSE and ePO treat the entry as a file exclusion.
    • If no backslash is used when configuring VSE locally, the Include subfolders option remains grayed out. Care is needed when configuring folder exclusions via ePO because the Include subfolders option does not gray out.
       
      Earlier versions would inadvertently allow selecting this option even when no backslash was used.
       
  • File exclusions
    A single asterisk (*) wildcard can be used to denote partial file name matches or wildcard extension matches, for example:
c:\windows\abc*.rtf
c:\windows\abc.*



Do not use trailing backslashes for file name matches. Doing so results in VSE excluding the wrong items. To clarify this important point, examine the following two examples:
c:\windows\abc
c:\windows\abc\



The first exclusion would be treated as a file name, and the second would be treated as a directory.

Solution

Double Asterisk
  • Directory exclusions
    Double asterisks (**) allow a wider folder exclusion called a Multiple Depth Exclusion. These exclusions are ones where the same target folder name might occur multiple times in subfolders originating from a common folder.

    Example: A thumbnail directory called thumbs can exist under one or more subfolders at any depth in the folder structure of a photo application:

    c:\program files\photo-program\library\animals\thumbs\
    c:\program files\photo-program\library\clothes\tshirts\thumbs\
    c:\program files\photo-program\library\clothes\trousers\thumbs\
    c:\program files\photo-program\library\clothes\trousers\green\thumbs\


    The following example uses a double asterisk to exclude the contents of any folder named thumbs under the library folder of the photo application:

    c:\program files\photo-program\library\**\thumbs\


    NOTE: To ensure that VSE handles thumbs as a folder and not a file, include a trailing backslash.
     
Extensions
  • Extension exclusions
    McAfee recommends that you use exclude item by file type to exclude all files with a specific extension, such as files created and used exclusively by a single application. This approach excludes only the required file types and has the least impact on system performance.

    A common error when configuring exclusions for file extensions is to exclude extensions in the same way as file and folder exclusions. For example, if an application writes data to files with the extensions SRTT and SRTS, it might at first seem logical to create the following exclusions:

    **\*.SRTT - To exclude all files with SRTT extension in any directory or subdirectory
    **\*.SRTS - To exclude all files with SRTS extension in any directory or subdirectory


    These exclusions work, but can have a negative effect on performance. A large list of individual exclusions is also more difficult to manage. In this example, it is far more efficient to add a new File Type exclusion for SRT only.

    SRT - To exclude all files with an extension starting with SRT in any directory or subdirectory 
     

    IMPORTANT:
     
    • There is a three-character limit to excluded File Type extensions.
    • The three-letter extension limitation is automatically enforced when you enter the extension to exclude.
    • All files with extensions starting with SRT are excluded despite the three-character limitation. In this example, it includes .SRTT and .SRTS

Solution

Question Mark
The question mark (?) is used for single character replacement within file names and folders. This wildcard character gives you a finer degree control over exclusions. 
  • Directory exclusions

    You might need to exclude a series of sequentially named sub-folders without excluding the contents of the parent folder.

    Example:

    C:\program files\application\cache\tmp1\
    C:\program files\application\cache\tmp2\
    C:\program files\application\cache\tmp3\
    C:\program files\application\cache\tmp4\



    The best method for this exclusion would be to create the following exclusion:

    c:\program files\application\cache\tmp?\


    This exclusion excludes any folders below the cache folder that match tmp? (in this example, tmp1, tmp2, tmp3 and tmp4).

     
  • File extension exclusions
    You can use the wildcard for any of the three characters, so the following would be valid:
AB?
A?C
?BC



Although it is possible to use two question mark wildcards (??) as shown below, McAfee does not recommend this approach because the scope of the exclusion is too broad:
A??
??C
?B?

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.