Last Modified: 06/21/2013
Rated:
Environment
McAfee VirusScan Enterprise 8.7i Patch 1 and later
Summary
This functionality is available in:
- VSE 8.8
- VSE 8.7i with Patch 1 and later
- Do not use wild card characters.
- Partial URLs can be used. Be cautious when specifying partial matches to avoid excluding scripts from unexpected web sites. For example, adding only www as would exclude scripts from any source that contains the characters www in the URL.
- You must enable Browser Helper Objects.
- McAfee suggests that you use only Fully Qualified Domain Names and NetBIOS names.
Examples:
Internal URL
To exclude the script named script.js from http://internal.something.local/scripts/script.js, the URL exclusion would be internal.something.local.
External URL
Excluding an external URL such as http://www.mcafee.com would be www.mcafee.com.
- If your DNS server records contain CNAME entries for a particular URL, exclude them.
- Web pages can run scripts hosted on other sites or locations. If you require access to a script hosted on another site, you must also exclude the URL of the host site.
- Do not include port numbers in exclusions. If a port number is specified, the exclusion will be ignored as invalid.
IMPORTANT:
Although it is possible to disable ScriptScan, McAfee recommends that you first create and test exclusions before you completely disable this feature. There is some security risk in disabling ScriptScan because applications like Outlook and Internet Explorer can render and execute scripts before a file has been created on the local system. It is important to point out that the On-Access scanner can stop the payload of attacks via this medium, but ScriptScan has the added advantage of preventing an actual threat from executing in the first place.
Customers can be confident that even though ScriptScan may not be right for all environments, VirusScan Enterprise 8.x provides superior protection against blended threats, with integrated Buffer Overflow protection for common desktop applications and services, Access Protection rules to block and contain common threat models, and true On-Access Scanning for malware, including Anti-Spyware, and rapid-response daily-DAT updates, backed by the power and performance of ePO.
McAfee recognizes, however, that this can potentially put customers in the difficult position of making the trade-off between enhanced protection and end-user performance. A customer can elevate their protection level back to a comparable level by installing a Secure Web Gateway appliance just behind their externally-facing web-servers. This solution will provide the same protection as ScriptScan, but is directed only at the external web traffic, leaving the internal portal traffic unencumbered.
Solution
- The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
- Before proceeding, McAfee strongly recommends backing up your registry and understanding the restore process. For more information, see: http://support.microsoft.com/kb/256986.
- Do not run a .REG file that is not confirmed to be a genuine registry import file.
IMPORTANT: With the release of VSE 8.8 and later, the following changes can be carried out via an ePO VSE 8.8 policy, or through the local console if not managed by ePO.
- Click Start, Run, type regedit and click OK.
- Navigate to and select the appropriate registry key:
- VSE 8.8: [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SystemCore\VSCORE\Script Scanner]
- VSE 8.7i: [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCORE\Script Scanner]
- Click Edit, New, Multi-String Value, and name the new value ExcludedURLs.
- Add the URL to exclude.
- Ensure that each URL or partial URL is separated by a carriage return.
NOTE: This only works for Windows XP and later because you cannot create multi-string values (REG_MULTI_SZ) in Windows 2000. If necessary, multi-string values can still be imported into Windows 2000.
- Close the registry editor.
- Close and restart all Internet Explorer windows to allow the new configuration to be read.
Related Information
Ways to distribute a URL exclusion
The following options are able to be used in ePolicy Orchestrator (ePO) or other deployment solutions.
- McAfee Installation Designer (MID)
MID allows you to modify the base installation files for VSE to include additions/customizations. To add this setting through MID, you must first configure all the exclusions you require on the system you are using to create the MID package. Then export the key as a .reg file. In the MID package creation wizard, specify the .reg file to run at the end of the installation process. The registry file will be imported to the system when VSE is installed.
- SuperDAT Manager
Use this utility to create a self-executable package which imports the registry file you created earlier. After that package is added to ePO, all systems will retrieve and execute the package on their next update.
NOTE: The SuperDAT Manager utility is only available to McAfee Platinum customers by request to McAfee Technical Support.
- System Information Reporter (SIR)
You can use this utility to create and deploy the registry key described in Steps 2-5 above to all computers running SIR 1.0. For more information about how to configure the desired registry change using SIR, see PD22755.
NOTE: SIR 1.0 is only available to McAfee Platinum customers by request to McAfee Technical Support.
Related article:
Affected Products
VirusScan Enterprise 8.8
VirusScan Enterprise 8.7i
Languages:
This article is available in the following languages:
GermanEnglish United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional
