Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 21 subscribers
  • Views 8608 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best Way to Exclude File Extensions

Navar Holmes

I see that there is two ways to exclude a file extension WHY?

Which of the two ways will give the best results?

We have a number of file extensions that we have to exclude.  I will use zzz as an example.

This is all done under On-Access scan settings.

Option 1

under the Extensions tab select the Exclude button to Add Excluded Extensions.

The problem with this option is you don't know if they are really being applied as you don't see the option at the endpoint and you can wildcard versions of the file extension.  you can only add zzz.  So is it really working??

Option 2

Select the Windows Exclusions Tab.

lots of options here.

Here you can add *.zzz and it will show up at the endpoint under on-access exclusions.  You can at least prove that you added it to the exclusion list.

But you can't add *.zz*, but you can add *.zz$

 

So the big question???  What is the best way to 100% guarantee that zzz gets excluded?

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hello Navar Holmes,

    note: please post in the applicable (product-specific) group and forum if possible, thanks.

    First and foremost -  why do you (think you) need these exclusions (and even a number of them)? Do you have any issues?
    The default Extensions setting is Scan only executable and other vulnerable files - in other words, the "harmless" stuff is left alone anyway, thus files with arbitrary extensions are not scanned. The primary use of Extensions is to define extensions that should be scanned. You might have noticed that the GUI also speaks of file types. This is not the same as an extension. While known extensions have an associated Open command Windows (or an application) might nevertheless act on the file's actual contents (aka true file type). You can see the extensions in effect on the endpoint (Configure On-Access scanning, tab Extensions). The ? can be sued as wildcard character, BTW.

    If you really need to exclude certain items then the Windows Exclusions tab is the correct place. As far as the syntax for file exclusions and the use of wildcards is concerned the documentation is IMO clear. Only one asterisk and then only in place of everything either before or after the last dot. Use a ? for zero or one arbitrary character.

    As to the question from one of your other posts: How do I verify that the exclusions are working - for an arbitrary extension it's not exactly simple (you can e.g. use Process Monitor if you know how to interpret its output). If you had issues and they're gone you know they are working. You can of course easily verify that it works (and it does) for .com or any other of the common extensions.

    Christian

  • 0 in reply to QC

    Thank you for clearing the muddy water on this.

    Let me re-cap what you have said to see if I got it right.

    Under the Extensions tab exclude button is where you would only add file types that you don't want scanned that are part of the list for "Scan only executable and other vulnerable files"?

    Windows Exclusions tab is where you add all other file type extensions.

    This makes complete sense..  Sure wish support knew this.

     

    To add to this:

    The SEC console wont show the list of extensions that are scanned with the "Scan only executable and other vulnerable files", you have to go to your endpoint to see these extensions.

    So if there is an extension that is in this list that needs to be excluded should it be added at the Extensions tab or the Windows Exclusions?  I would prefer the Windows Exclusions as I prove that it is in the exclude list.

Reply
  • 0 in reply to QC

    Thank you for clearing the muddy water on this.

    Let me re-cap what you have said to see if I got it right.

    Under the Extensions tab exclude button is where you would only add file types that you don't want scanned that are part of the list for "Scan only executable and other vulnerable files"?

    Windows Exclusions tab is where you add all other file type extensions.

    This makes complete sense..  Sure wish support knew this.

     

    To add to this:

    The SEC console wont show the list of extensions that are scanned with the "Scan only executable and other vulnerable files", you have to go to your endpoint to see these extensions.

    So if there is an extension that is in this list that needs to be excluded should it be added at the Extensions tab or the Windows Exclusions?  I would prefer the Windows Exclusions as I prove that it is in the exclude list.

Children
  • 0 in reply to Navar Holmes

    Hello Navar Holmes,

    re-cap
    guess you can put it this way. Perhaps I should have mentioned that Exclusions are low-level (filter driver) and work solely on the pathname.

    you have to go to your endpoint
    the Extensions are processed by the scanning engine.     Normally you shouldn't touch them. The interface in the console is perhaps only still there for "historical reasons". Actually this scan-this-don't-scan-that business is more complex than one might think: Take a .vbs script (a Hello world! will do). Give it an arbitrary extension (say .xyz). Open a command prompt, enter wscript /E:VBScript \path\to\HelloWorld.xyz and .... As any executable can use the Windows Scripting Host - what do you think the scanner should do?

    that needs to be excluded
    you should be veeery careful with avoid exclusions unless absolutely necessary and then make them as limited as possible. IMO necessary should be proven necessary - not just a vendor's "recommendation".
    None of my business but I'm curious what it is that you need to be excluded any why?

    Christian 

Unfiltered HTML