Configure ScriptScan to whitelist URLs for improved performance
Technical Articles ID:
KB65382
Last Modified: 3/12/2020
Environment
McAfee VirusScan Enterprise (VSE) 8.8
For details of VSE 8.8 supported environments, see KB51111.
Summary
When VSE is installed with the ScriptScan component, it inserts a proxy between the incoming script and the Windows scripting host. This fact can cause poor performance with webpages and web-based applications that are script-intensive. It is now possible to whitelist URLs for trusted websites, such as sites within an intranet or sites that you use frequently and know to be safe.
This function is available in VSE 8.8.
NOTES:
- Do not use wildcard characters.
- Partial URLs can be used. Be cautious when you specify partial matches to avoid excluding scripts from unexpected websites. For example, adding only www would exclude scripts from any source that contains the characters www in the URL.
- You must enable Browser Helper Objects.
- The product development team suggests that you use only fully qualified domain names and NetBIOS names.
Examples:
Internal URL
To exclude the script named script.js from http://internal.something.local/scripts/script.js, the URL exclusion is internal.something.local.
External URL
To exclude an external URL such as http://www.mcafee.com, is www.mcafee.com.
- If your DNS server records contain CNAME entries for a particular URL, exclude them.
- Webpages can run scripts hosted on other sites or locations. If you require access to a script hosted on another site, you must also exclude the URL of the host site.
- Do not include port numbers in exclusions. If a port number is specified, the exclusion is ignored as invalid.
IMPORTANT:
- It is possible to disable ScriptScan. But, the product development team recommends that you first create and test exclusions, before you completely disable the feature. There is some security risk in disabling ScriptScan. Applications like Outlook, and Internet Explorer can render and execute scripts before a file has been created on the local system. The on-access scanner can stop the payload of attacks via this medium. But, ScriptScan has the added advantage of preventing an actual threat from executing in the first place.
- Even though ScriptScan might not be right for all environments, VSE provides superior protection against blended threats.
VSE uses:
- Integrated Buffer Overflow protection for common desktop applications and services
- Access Protection rules to block and contain common threat models,
- True On-Access Scanning for malware, including antispyware, and rapid-response regular DAT updates.
- It is recognized that customers can be put in the hard position of making the trade-off between enhanced protection and user performance.
Customers can elevate their protection level to a comparable level. This is achieved when you install a Secure Web Gateway appliance, just behind their externally facing web servers. This solution provides the same protection as ScriptScan, but is directed only at the external web traffic, leaving the internal portal traffic unencumbered.
Solution
To create a URL exclusion, perform the following steps:
CAUTION: This article contains information about opening or modifying the registry.
- The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
- Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
- Do not run a REG file that is not confirmed to be a genuine registry import file.
IMPORTANT: With the release of VSE 8.8, the following changes can be carried out via an ePO VSE 8.8 policy, or through the local console if not managed by ePO.
- Click Start, Run, type regedit and click OK.
- Navigate to and select the registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SystemCore\VSCORE\Script Scanner
- Click Edit, New, Multi-String Value, and name the new value ExcludedURLs.
- Add the URL to exclude.
- Make sure that each URL or partial URL is separated by a carriage return.
NOTE: You can't create multi-string values (REG_MULTI_SZ) in Windows 2000. If needed, multi-string values can still be imported into Windows 2000.
- Close the registry editor.
- Close and restart all Internet Explorer windows. This action allows the new configuration to be read.
|
