Understanding High-Risk, Low-Risk, and Default processes configuration and use

Scenario 1 - The Low-Risk Processes policy is configured with Scan on READ disabled. Backup.exe is used as an example process.
With only the Default Processes policy in use, start Backup.exe. McAfee VirusScan scans the Backup.exe. The Backup.exe process is now running and begins the backup process, which performs a READ action on all files on the drive. McAfee VirusScan then scans each file as it is READ by Backup.exe.

With Backup.exe added to the Low-Risk Processes policy:

What Risks Does This Scenario Introduce?
Risk 1 - Assuming there is a virus or trojan with an executable file named Backup.exe:

Risk 2 - An infected file has been stored on the drive:
This risk means the Backup.exe process can successfully READ and back up an infected file because Backup.exe is a low risk process. This scanning policy does not Scan on READ.

You can mitigate the risk by running an on-demand scan before you perform a backup:

1. Perform a full on-demand scan once to set a baseline from which all files are clean.
2. So, configure the scan to exclude files by age that were modified since the last backup. This configuration ensures that the scans are short in duration because they only access relevant files.
   
   Running this task before a backup reduces the likelihood of an infected file being backed up.

Scenario 2 - Use the Low-Risk Processes policy to implement an exclusion. The Agent.exe process is used as an example process that performs many file I/O WRITE actions to a commonly used folder C:\Temp on client computers.

With only the Default Processes policy in use:

1. The Agent.exe process writes a file to C:\Temp.
2. VirusScan scans the file.
3. The Agent.exe writes more data to the same file in C:\Temp.
4. VirusScan scans the file again.
   
   VirusScan scans each file write because the file is new or has been modified. This scan occurs for each change to the original file and for any newly created files.
   
   The activity generated by this process can cause the scanner to use large quantities of system resources. The reason is because of the number of scans required for each file.
    

With Agent.exe added to the Low-Risk Processes policy:
The Agent.exe process can be added to the Low Risk Process to alleviate the performance issue. There are several possible methods:

• Exclude C:\Temp from WRITE operations.
• Exclude C:\Temp\**.TMP from WRITE operations.
• Exclude .TMP files.

The solution that creates the least risk is to exclude C:\Temp\**.TMP from WRITE operations. Only exclude .TMP files found in the C:\Temp folder from scanning when they are being written to the disk by Agent.exe.
 

What Risks Does This Scenario Introduce?
It is possible for an unknown threat with a process named Agent.exe to write or modify .TMP files in the C:\Temp folder and avoid being scanned.

Risk 1: Assuming there is also a virus or trojan with an executable file named Agent.exe:

1. First, the virus or trojan would have to be written to disk. If written to disk:
   • VirusScan detects this writing if the DATs included detection for the threat.
   • VirusScan denies the file creation if the method used to create this file is breaching an Access Protection rule 2.
      
2. The file would have to be executed (or read) so it can propagate and deliver its payload. If executed:
   • VirusScan detects if the DATs included detection for the threat.
   • VirusScan denies the file execution if the method used to start the file is breaching an Access Protection rule.
     
     NOTE: Even with Low-Risk Processes policies in use, there are multiple layers of protection from potentially infected files.
3. The virus or trojan Agent.exe is now running. It tries to write .JPG and .DOC files to the C:\Temp folder.
   • VirusScan detects if the DATs included detection for the threat because the exclusion only involves .TMP files that are written to the folder.
   • VirusScan denies the file WRITE if an Access Protection rule existed for this behavior.
     
     NOTE: Even though the virus or trojan has executed and might be running in memory, its activities can still be interrupted when DATs are updated or by implementing a new Access Protection rule. When the DATs are updated and this virus or trojan is found, it is terminated from memory as part of the cleanup process.

Risk 2: A READ action occurs to execute the infected file:

• VirusScan detects this execution if the DATs included detection for the threat. READ actions are not excluded.
• VirusScan denies the READ if an Access Protection rule existed for this behavior.

IMPORTANT: There is some risk associated with using the High / Low Risk Processes policies. Generally the risk is minimal and you must assess it on a case-by-case basis. To obtain the wanted product performance, you must determine the degree of acceptable risk.