In VSE, an excluded file or a file in an excluded folder is not scanned.
To determine whether a file is excluded, the
MCSHIELD.EXE process receives information about the file from the McAfee AV filter driver.
Presence of an
excluded file name in the log file does not necessarily indicate that a scan occurred, or that the managed product tried to scan the file. (In this example, the excluded file is
nHTTP.exe.)
Not scanned (scan timed out) NT AUTHORITY\SYSTEM G:\Lotus\Domino\nHTTP.EXE F:\Lotus\Domino\Data\keyfile2010.sth
NOTE:
- The McShield.exe processes ALL exclusions. McShield does all scanning, but it also does all exclusions.
- McShield has a timeout mechanism.
In the above example, McShield timed out on
nHTTP.EXE in trying to determine whether to exclude the file or not. The log file does
not indicate that the excluded file is actually being scanned.
Procmon Data Analysis
In a capture using the
Procmon tool, you see the McShield process working with a file that is excluded. But, you do not see McShield perform a READ action on the file.
From monitoring
Procmon, you see McShield
Open,
Query,
Set, and
Close actions. But, these actions do not indicate a scan because no
IRP_MJ_READ action takes place. You see some
FASTIO_READ actions, but it is also not an indication of a scan. So, to determine if a scan took place, run
Procmon in
Advanced Output mode, because not all listed
READ actions indicate a scan.
After McShield has determined the file to be excluded, the McAfee AV filter driver is informed and the filter driver records the file name (including the path). It makes sure that McShield does not process the same file again unless the file is modified.
- Exclude by File Age
You can use this powerful mechanism to potentially increase performance, particularly for on-demand scans, with little risk.
Example
To set a date baseline, perform a full scan. Configure a task to scan all files but exclude files modified x days or more ago, and schedule the scan to run every x number of days.
If x = 2, only files modified within the last 2 days are scanned.
- Exclusions for Select Processes Only
- You might need to exclude a folder that gets more file input/output (I/O) traffic. But, the risk of exposing this folder for all processes is felt to be too high.
- Lessen the risk by using VSE multiple scanning profiles, termed Default Processes, High-Risk Processes, and Low-Risk processes.
- Add the process into a specific profile (High-Risk or Low-Risk) and configure the exclusion for that profile. Only the processes listed in that profile exclude the specified file or folder.
