Understanding High-Risk, Low-Risk, and Default processes configuration and usage
Technical Articles ID: KB55139
Last Modified: 05/17/2013
Rated:
Last Modified: 05/17/2013
Rated:
Environment
McAfee VirusScan Enterprise 8.x
Summary
Unless configured otherwise, VirusScan Enterprise uses the On-Access Default Processes policies. The scanning configuration for this policy applies to all processes, including any file activity from those processes.
Implementing the High-Risk and Low-Risk Processes policies offers a means to alternately configure the On-Access Scanner and streamline computer performance.
The scenarios below can help you understand High-Risk Processes and Low-Risk Processes policies.
The scenarios below can help you understand High-Risk Processes and Low-Risk Processes policies.
Video Tutorial
NOTE: Adobe Flash Player is required. To download Adobe Flash Player, go to: http://www.adobe.com/products/flashplayer/.
To view a list of tutorials, go to the McAfee ServicePortal at http://support.mcafee.com/. Click Knowledge Center, and select Tutorials from the Support Content list.
To view this tutorial, see: TU30285
To view a list of tutorials, go to the McAfee ServicePortal at http://support.mcafee.com/. Click Knowledge Center, and select Tutorials from the Support Content list.
To view this tutorial, see: TU30285
Solution 1
Scenario 1 - The Low-Risk Processes policy is configured with Scan on READ disabled. Backup.exe is used as an example process.
With only the Default Processes policy in use:
With Backup.exe added to the Low-Risk Processes policy:
What Risks Does This Scenario Introduce?
Risk 1 - Assume there is a virus / Trojan with an executable file named Backup.exe.
Risk 2 - An infected file has been stored on the drive.
This means the Backup.exe process will successfully READ and back up an infected file because Backup.exe is a low risk process; this scanning policy does not Scan on READ.
You can mitigate the risk by various means, such as running an On-Demand scan before you perform a backup:
With only the Default Processes policy in use:
- Launch Backup.exe.
- McAfee VirusScan scans the Backup.exe.
- Backup.exe is now running and begins the backup process, which performs a READ action on all files on the drive.
- McAfee VirusScan then scans each file as it is READ by Backup.exe.
With Backup.exe added to the Low-Risk Processes policy:
- Add Backup.exe to a Low-Risk profile, with the option Scan on READ disabled.
- Launch Backup.exe.
- McAfee VirusScan scans the Backup.exe process.
- Backup.exe is now running and begins the backup process, which performs a READ action on all files on the drive.
- VirusScan recognizes that Backup.exe is a low risk process. Because this profile is configured not to Scan on READ, no scan occurs when Backup.exe reads files for backup.
What Risks Does This Scenario Introduce?
Risk 1 - Assume there is a virus / Trojan with an executable file named Backup.exe.
- First, the virus/Trojan would have to be written to the drive.
- VirusScan will detect this if the DATs include detection for the threat.
- VirusScan will deny the file creation if the method used to create this file breaches an Access Protection rule.
- The file would have to be executed (or read) so it can propagate and deliver its payload.
- VirusScan will detect this if the DATs included detection for the threat.
- VirusScan will deny the file execution if the method used to launch the file breaches an Access Protection rule.
NOTE: Even with Low-Risk Processes policies in use, there are multiple layers of protection from potentially infected files.
- The virus/Trojan Backup.exe is now running and attempts to modify files:
- VirusScan would detect this if the DATs include detection for the threat because modifying files is a WRITE operation and in this scenario only Scan on READ is disabled for Low-Risk processes.
- VirusScan would deny the modification if an Access Protection rule existed to prevent the behavior.
NOTE: Even though the virus / Trojan has executed and may be running in memory, its activities can still be interrupted when DATs are updated or by implementing a new Access Protection rule. When the DATs are updated and this virus / Trojan is found, it will be terminated from memory as part of the cleanup process.
Risk 2 - An infected file has been stored on the drive.
This means the Backup.exe process will successfully READ and back up an infected file because Backup.exe is a low risk process; this scanning policy does not Scan on READ.
You can mitigate the risk by various means, such as running an On-Demand scan before you perform a backup:
- Perform a full On-Demand scan once to set a baseline from which all files are clean.
-
Thereafter, configure the scan to exclude files by age that were modified since the last backup. This ensures the scans are short in duration because they only access relevant files. Running this task before a backup reduces the likelihood of an infected file being backed up.
Solution 2
Scenario 2 - Use the Low-Risk Processes policy to implement an exclusion. Agent.exe is used as an example process that performs a large number of file I/O WRITE actions to a commonly used folder C:\Temp on client computers.
With only the Default Processes policy in use:
IMPORTANT: There is some risk associated with using the High / Low Risk Processes policies. Generally the risk is minimal and you should assess it on a case-by-case basis. Take care in determining the degree of acceptable risk to obtain the desired product performance.
With only the Default Processes policy in use:
- Agent.exe writes a file to C:\Temp.
- VirusScan scans the file.
- Agent.exe writes more data to the same file in C:\Temp.
- VirusScan scans the file again.
- VirusScan scans each file write because the file is new or has been modified. This occurs for each modification to the original file as well as for any newly created files.
- The activity generated by this process can cause the scanner to use large quantities of system resources due to the number of scans required for each file.
With Agent.exe added to the Low-Risk Processes policy:
Agent.exe can be added to the Low Risk Process to alleviate the performance issue. There are several possible methods:
- Exclude C:\Temp from WRITE operations.
- Exclude C:\Temp\**.TMP from WRITE operations.
- Exclude .TMP files.
The solution that creates the least risk is b. Only exclude .TMP files found in the C:\Temp folder from scanning when they are being written to the disk by Agent.exe.
What Risks Does This Scenario Introduce?
It is possible for an unknown threat with a process named Agent.exe to write or modify .TMP files in the C:\Temp folder and avoid being scanned.
Risk 1: Assume that there is also a virus/Trojan with an executable file named Agent.exe.
- First, the virus/Trojan would have to be written to disk.
- VirusScan will detect this if the DATs included detection for the threat.
- VirusScan will deny the file creation if the method used to create this file is breaching an Access Protection rule 2.
- The file would have to be executed (or read) so it can propagate and deliver its payload
- VirusScan would detect if the DATs included detection for the threat.
- VirusScan would deny the file execution if the method used to launch the file is breaching an Access Protection rule.
NOTE: Even with Low-Risk Processes policies in use, there are multiple layers of protection from potentially infected files.
- The virus/Trojan Agent.exe is now running. It attempts to write .JPG and .DOC files to the C:\Temp folder.
- VirusScan would detect if the DATs included detection for the threat because the exclusion only involves .TMP files that are written to the folder.
- VirusScan would deny the file WRITE if an Access Protection rule existed for this behavior.
NOTE: Even though the virus / Trojan has executed and may be running in memory, its activities can still be interrupted when DATs are updated or by implementing a new Access Protection rule. When the DATs are updated and this virus / Trojan is found, it will be terminated from memory as part of the cleanup process.
Risk 2: A READ action occurs to execute the infected file.
- VirusScan will detect this if the DATs included detection for the threat. READ actions are not being excluded.
- VirusScan would deny the READ if an Access Protection rule existed for this behavior.
IMPORTANT: There is some risk associated with using the High / Low Risk Processes policies. Generally the risk is minimal and you should assess it on a case-by-case basis. Take care in determining the degree of acceptable risk to obtain the desired product performance.
Related Information
Third-party applications that exhibit performance issues when run concurrently with VirusScan Enterprise may show improvement with the application-specific processes added to the Low-Risk Processes policy.
Simply adding an application to the list of Low Risk Processes will not change the behavior of the On-Access Scanner. One or more of the various options must be changed for Low Risk processes to have an effect on performance.
Related Articles:
- When slow performance is seen during a backup, see KB72334.
- Required exclusions for Symantec backup Exec, see KB68701.
See also:
- For how to create low-risk and high-risk process exclusions for VirusScan Enterprise 8.x, see KB67544.
- For the issue where High-Risk and Low-Risk processes are not visible in VirusScan Console for non-admin users, see KB70116.
- To review an informational article that covers the topic Understanding VirusScan Enterprise Exclusions, see KB55898.
Affected Products
VirusScan Enterprise 8.8
VirusScan Enterprise 8.7i
Languages:
This article is available in the following languages:
GermanEnglish United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional
