Loading...

Knowledge Center

Understanding VirusScan Enterprise Exclusions
Technical Articles ID:   KB55898
Last Modified:  5/10/2016
Rated:

Environment

McAfee VirusScan Enterprise (VSE) 8.x

Solution

In VSE, an excluded file or a file residing in an excluded folder will not be scanned.

To determine whether a file is excluded, the MCSHIELD.EXE process receives information about the file from the McAfee AV filter driver.

Presence of an excluded file name (in this example nHTTP.exe) in the log file does not necessarily indicate that a scan occurred, or that the point product attempted to scan the file.

10/23/2010  17:22:01 PM  Not scanned  (scan timed out)       NT AUTHORITY\SYSTEM    G:\Lotus\Domino\nHTTP.EXE     F:\Lotus\Domino\Data\keyfile2010.sth

NOTE:

  • ALL exclusions are processed by McShield.exe.  McShield does all the scanning but it also does all the exclusions.
  • McShield has a timeout mechanism.

In the above example McShield timed out on nHTTP.EXE in trying to determine whether to exclude the file or not. The log file does not indicate that the excluded file is actually being scanned. 
 

Solution

Procmon data analysis
 
In a capture using the Procmon tool, you still see the McShield process working with a file that is excluded, but you will not see McShield perform a READ action on the file.
 
From monitoring Procmon, you see McShield Open, Query, Set, and Close actions. However, these actions do not indicate a scan because no IRP_MJ_READ action takes place. You see some FASTIO_READ actions, but this also is not an indication of a scan. Therefore, to determine if a scan took place, run Procmon in Advanced Output mode, because not all listed READ actions indicate a scan.
 
After McShield has determined the file to be excluded, the McAfee AV filter driver is informed and the filter driver records the filename (including path) so that the same file is not processed by McShield again unless the file is modified.
  • Exclude by File Age
    You can use this powerful mechanism to potentially increase performance, particularly for On-Demand Scans, with little risk.

    Example
    Perform a full scan to set a date baseline, then configure a task to scan all files but exclude files modified x days or more ago, and schedule the scan to run every x days.
    If x = 2, only files modified within the last 2 days will be scanned.

     
  • Exclusions for Select Processes Only
    • You might need to exclude a folder that gets a lot of file I/O traffic, but the risk of exposing this folder for all processes is felt to be too high.
    • Lessen the risk by utilizing VirusScan Enterprise multiple scanning profiles, termed Default Processes, High-Risk Processes and Low-Risk processes.
    • Add the desired process into a specific profile (High-Risk or Low-Risk) and configure the exclusion for that profile. Only the processes listed in that profile will exclude the specified file or folder.

Solution

For ProcMon download and information, see KB72766.

Related Information

KB61000 - VSE exclusions and hardware paths (physical versus logical address)

Disclaimer

The content of this article originated in English. If there are differences between the English content and its translation, the English content is always the most accurate. Some of this content has been provided using Machine Translation translated by Microsoft.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.