Understanding High-Risk, Low-Risk, and Default process configuration and use

Technical Articles ID: KB55139
Last Modified: 3/21/2022

Environment

Endpoint Security (ENS) Threat Prevention 10.x
VirusScan Enterprise (VSE) 8.x

Summary

Unless configured otherwise, ENS/VSE uses the On-Access Default Processes policies. The scanning configuration for this policy applies to all processes, including any file activity from those processes.

Implementing the High-Risk Processes and Low-Risk Processes policies offers a means to configure the on-access scanner and streamline computer performance. For example, you can use the Low-Risk Processes policy to disable both scan on read and scan on write for any process added to the policy. This configuration allows the process to run while preventing scanning of the disk activity caused by the process.

NOTE: This note applies to ENS Threat Prevention only. When using the Low-Risk Processes policy in the manner described above, don't add exclusions to the policy. Doing so can unintentionally introduce performance overhead, as the scanner has to validate the exclusion list. The exclusions aren't needed, because the disk activity caused by the processes added to the Low-Risk Processes policy isn't being scanned.

The scenarios below can help you understand High-Risk Processes and Low-Risk Processes policies.

Video Tutorial

NOTE: The availability of the video above might depend on the region from which you're viewing it.

Solution 1

Scenario 1 - The Low-Risk Processes policy is configured with Scan on READ disabled. We use Backup.exe as an example process.

With only the Default Processes policy in use, start Backup.exe. ENS/VSE scans Backup.exe. The Backup.exe process now runs and begins the backup process, which performs a READ action on all files on the drive. ENS/VSE then scans each file as it's READ by Backup.exe.

With Backup.exe added to the Low-Risk Processes policy:

Add Backup.exe to a Low-Risk profile, with the option Scan on READ disabled.
Start Backup.exe. ENS/VSE scans the Backup.exe process.

The Backup.exe process now runs and begins the backup process, which performs a READ action on all files on the drive. ENS/VSE recognizes that Backup.exe is a Low-Risk process. Because this profile is configured not to Scan on READ, no scan occurs when Backup.exe reads files for backup.

What Risks Does This Scenario Introduce?
Risk 1 - Assuming there’s a virus/trojan with an executable file named Backup.exe:

First, the virus/trojan would need to be written to the drive. If written to the drive:
- ENS/VSE detects the writing to the drive if the DATs include detection for the threat.
- ENS/VSE denies the file creation if the method used to create this file breaches an Access Protection rule.
The file would have to be executed (or read) so it can propagate and deliver its payload. If executed:
- ENS/VSE detects the execution if the DATs include detection for the threat.
- ENS/VSE denies the file execution if the method used to start the file breaches an Access Protection rule.
  
  NOTE: Even with Low-Risk Processes policies in use, there are multiple layers of protection from potentially infected files.
The virus/trojan Backup.exe now runs and tries to modify files:
- ENS/VSE detects the running if the DATs include detection for the threat. Modifying files is a WRITE operation, and in this scenario, only Scan on READ is disabled for Low-Risk processes.
- ENS/VSE denies the change if an Access Protection rule exists to prevent the behavior.
  
  NOTE: The virus/trojan has executed and might be running in memory. But, its activities can still be interrupted when DATs are updated or by implementing a new Access Protection rule. When the DATs are updated and this virus/trojan is found, it’s removed from memory as part of the cleanup process.

Risk 2 - An infected file has been stored on the drive:
This risk means the Backup.exe process can successfully READ and back up an infected file because Backup.exe is a Low-Risk process. This scanning policy doesn’t Scan on READ.

You can mitigate the risk by running an on-demand scan before you perform a backup:

Perform a full on-demand scan once to set a baseline from which all files are clean.
Configure the scan to exclude files by age that have been modified since the last backup. This configuration makes sure that the scans are short in duration because they only access relevant files.

Running this task before a backup reduces the likelihood of an infected file being backed up.

Solution 2

Scenario 2 - Use the Low-Risk Processes policy to implement an exclusion. We use the Agent.exe process as an example process that performs many file I/O WRITE actions to a commonly used folder C:\Temp on client computers.

With only the Default Processes policy in use:

The Agent.exe process writes a file to C:\Temp.
ENS/VSE scans the file.
The Agent.exe writes more data to the same file in C:\Temp.
ENS/VSE scans the file again.

ENS/VSE scans each file write because the file is new or has been modified. This scan occurs for each change to the original file and for any newly created files.

The activity generated by this process can cause the scanner to use large quantities of system resources. The reason is because of the number of scans needed for each file.

With Agent.exe added to the Low-Risk Processes policy:
You can add the Agent.exe process to the Low-Risk Processes to alleviate the performance issue. There are several possible methods:

Exclude C:\Temp from WRITE operations.
Exclude C:\Temp\**.TMP from WRITE operations.
Exclude .TMP files.

The solution that creates the least risk is to exclude C:\Temp\**.TMP from WRITE operations. Only exclude .TMP files found in the C:\Temp folder from scanning when they’re being written to the disk with Agent.exe.

What Risks Does This Scenario Introduce?
It’s possible for an unknown threat with a process named Agent.exe to write or modify .TMP files in the C:\Temp folder and avoid being scanned.

Risk 1 - Assuming there’s a virus/trojan with an executable file named Agent.exe:

First, the virus/trojan would have to be written to the disk. If written to the disk:
- ENS/VSE detects the writing to the disk if the DATs include detection for the threat.
- ENS/VSE denies the file creation if the method used to create this file breaches an Access Protection rule.
The file would have to be executed (or read) so it can propagate and deliver its payload. If executed:
- ENS/VSE detects the execution if the DATs include detection for the threat.
- ENS/VSE denies the file execution if the method used to start the file breaches an Access Protection rule.
  
  NOTE: Even with Low-Risk Processes policies in use, there are multiple layers of protection from potentially infected files.
The virus/trojan Agent.exe now runs. It tries to write .JPG and .DOC files to the C:\Temp folder.
- ENS/VSE detects the running if the DATs include detection for the threat. The exclusion only involves .TMP files that are written to the folder.
- ENS/VSE denies the file WRITE if an Access Protection rule exists for this behavior.
  
  NOTE: The virus/trojan has executed and might be running in memory. But, its activities can still be interrupted when DATs are updated or by implementing a new Access Protection rule. When the DATs are updated and this virus/trojan is found, it’s removed from memory as part of the cleanup process.

Risk 2 - A READ action occurs to execute the infected file:

ENS/VSE detects this execution if the DATs include detection for the threat. READ actions aren’t excluded.
ENS/VSE denies the READ if an Access Protection rule exists for this behavior.

IMPORTANT: There’s some risk associated with using the High-Risk / Low-Risk Processes policies. Generally, the risk is minimal and you must assess it on a case-by-case basis. To obtain better product performance, you must determine the degree of acceptable risk.

Related Information

Third-party applications can exhibit performance issues when run concurrently with ENS/VSE. But, an improvement can be seen when the application-specific processes are added to the Low-Risk Processes policy.

Simply adding an application to the list of Low-Risk Processes doesn’t change the behavior of the on-access scanner. One or more options must be changed for Low-Risk processes to affect performance.

Related Articles:

Affected Products

Configuration
Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
Known Issue/Product Defect
VirusScan Enterprise 8.8 (EOL)

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Knowledge Center

Understanding High-Risk, Low-Risk, and Default process configuration and use

Environment

Summary

Video Tutorial

Solution 1

Solution 2

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Understanding High-Risk, Low-Risk, and Default process configuration and use

Environment

Summary

Video Tutorial

Solution 1

Solution 2

Related Information

Affected Products

Languages:

Choose your region

Title

Title