Scenario 2 - Use the
Low-Risk Processes policy to implement an exclusion. The
Agent.exe process is used as an example process that performs many file I/O WRITE actions to a commonly used folder
C:\Temp on client computers.
With only the
Default Processes policy in use:
- The Agent.exe process writes a file to C:\Temp.
- VirusScan scans the file.
- The Agent.exe writes more data to the same file in C:\Temp.
- VirusScan scans the file again.
VirusScan scans each file write because the file is new or has been modified. This scan occurs for each change to the original file and for any newly created files.
The activity generated by this process can cause the scanner to use large quantities of system resources. The reason is because of the number of scans required for each file.
With Agent.exe added to the Low-Risk Processes policy:
The Agent.exe process can be added to the Low Risk Process to alleviate the performance issue. There are several possible methods:
- Exclude C:\Temp from WRITE operations.
- Exclude C:\Temp\**.TMP from WRITE operations.
- Exclude .TMP files.
The solution that creates the least risk is to exclude C:\Temp\**.TMP from WRITE operations. Only exclude .TMP files found in the C:\Temp folder from scanning when they are being written to the disk by Agent.exe.
What Risks Does This Scenario Introduce?
It is possible for an unknown threat with a process named Agent.exe to write or modify .TMP files in the C:\Temp folder and avoid being scanned.
Risk 1: Assuming there is also a virus or trojan with an executable file named Agent.exe:
- First, the virus or trojan would have to be written to disk. If written to disk:
- VirusScan detects this writing if the DATs included detection for the threat.
- VirusScan denies the file creation if the method used to create this file is breaching an Access Protection rule 2.
- The file would have to be executed (or read) so it can propagate and deliver its payload. If executed:
- VirusScan detects if the DATs included detection for the threat.
- VirusScan denies the file execution if the method used to start the file is breaching an Access Protection rule.
NOTE: Even with Low-Risk Processes policies in use, there are multiple layers of protection from potentially infected files.
- The virus or trojan Agent.exe is now running. It tries to write .JPG and .DOC files to the C:\Temp folder.
- VirusScan detects if the DATs included detection for the threat because the exclusion only involves .TMP files that are written to the folder.
- VirusScan denies the file WRITE if an Access Protection rule existed for this behavior.
NOTE: Even though the virus or trojan has executed and might be running in memory, its activities can still be interrupted when DATs are updated or by implementing a new Access Protection rule. When the DATs are updated and this virus or trojan is found, it is terminated from memory as part of the cleanup process.
Risk 2: A READ action occurs to execute the infected file:
- VirusScan detects this execution if the DATs included detection for the threat. READ actions are not excluded.
- VirusScan denies the READ if an Access Protection rule existed for this behavior.
IMPORTANT: There is some risk associated with using the
High / Low Risk Processes policies. Generally the risk is minimal and you must assess it on a case-by-case basis. To obtain the wanted product performance, you must determine the degree of acceptable risk.