Scenario 2 - Use the
Low-Risk Processes policy to implement an exclusion.
Agent.exe is used as an example process that performs a large number of file I/O WRITE actions to a commonly used folder
C:\Temp on client computers.
With only the
Default Processes policy in use:
- Agent.exe writes a file to C:\Temp.
- VirusScan scans the file.
- Agent.exe writes more data to the same file in C:\Temp.
- VirusScan scans the file again.
VirusScan scans each file write because the file is new or has been modified. This occurs for each modification to the original file as well as for any newly created files.
The activity generated by this process can cause the scanner to use large quantities of system resources because of the number of scans required for each file.
With Agent.exe added to the Low-Risk Processes policy:
Agent.exe can be added to the Low Risk Process to alleviate the performance issue. There are several possible methods:
- Exclude C:\Temp from WRITE operations.
- Exclude C:\Temp\**.TMP from WRITE operations.
- Exclude .TMP files.
The solution that creates the least risk is to exclude C:\Temp\**.TMP from WRITE operations. Only exclude .TMP files found in the C:\Temp folder from scanning when they are being written to the disk by Agent.exe.
What Risks Does This Scenario Introduce?
It is possible for an unknown threat with a process named Agent.exe to write or modify .TMP files in the C:\Temp folder and avoid being scanned.
Risk 1: Assuming there is also a virus/Trojan with an executable file named Agent.exe:
- First, the virus/Trojan would have to be written to disk.
- VirusScan will detect this if the DATs included detection for the threat.
- VirusScan will deny the file creation if the method used to create this file is breaching an Access Protection rule 2.
- The file would have to be executed (or read) so it can propagate and deliver its payload
- VirusScan would detect if the DATs included detection for the threat.
- VirusScan would deny the file execution if the method used to launch the file is breaching an Access Protection rule.
NOTE: Even with Low-Risk Processes policies in use, there are multiple layers of protection from potentially infected files.
- The virus/Trojan Agent.exe is now running. It attempts to write .JPG and .DOC files to the C:\Temp folder.
- VirusScan would detect if the DATs included detection for the threat because the exclusion only involves .TMP files that are written to the folder.
- VirusScan would deny the file WRITE if an Access Protection rule existed for this behavior.
NOTE: Even though the virus / Trojan has executed and may be running in memory, its activities can still be interrupted when DATs are updated or by implementing a new Access Protection rule. When the DATs are updated and this virus / Trojan is found, it will be terminated from memory as part of the cleanup process.
Risk 2: A READ action occurs to execute the infected file:
- VirusScan will detect this if the DATs included detection for the threat. READ actions are not being excluded.
- VirusScan would deny the READ if an Access Protection rule existed for this behavior.
IMPORTANT: There is some risk associated with using the
High / Low Risk Processes policies. Generally the risk is minimal and you should assess it on a case-by-case basis. Take care in determining the degree of acceptable risk to obtain the desired product performance.
