After you add a process (for example,
notepad.exe) to the low risk processes (LRP) group, you want to know if the process is being applied correctly.
To confirm whether the read and write features are disabled in the scan settings for this group, perform the following steps:
- Create a copy of one of the existing on-access scan policies and name it LRP_TEST.
- Add notepad.exe to the LRP group in the policy LRP TEST.
- Verify that scan on read, and scan on write, is disabled for the LRP group in the policy.
- Apply this policy to a test endpoint.
- Open a console session on a test virtual system, and start notepad.exe.
- Copy the EICAR string (obtainable from https://www.eicar.org/) into the Notepad text session.
- Select File, Save As, and save the Notepad file with the following settings:
- File name: eicar.exe
- Type: All files
- Location: c:\temp\ (or wherever is suitable on the local drive)
NOTE: Because notepad.exe is now in the LRP group, and LRP processes are not being scanned, you can save the EICAR file to the specified location.
- Open Windows Explorer and navigate to the location where you saved the file.
- Try to manipulate the file using Windows Explorer. For example, try to copy or rename the file. You now have a detection trigger, and an access denied message. The detection is triggered this time because Windows Explorer is typically in the high risk process group. Windows Explorer is now the calling process accessing the file.
- View the on-access scan log if you want to confirm the detection details.
