Issue with Excluding files in V4

[Humperdink]

Hi,

I'm having issues excluding files in NOD32 v4.2.64. We use several applications that use Paradox database tables, and I wish to exclude all .mb, .db and .lck files from being scanned.

Initially I set the extension editor to scan all files, and added these extensions so they would not be scanned. This doesn't seem to work, so I tried unticking the scan all files box and ensured that these extensions were NOT in the list of files to scan - same issue, when running the program I can see the files being scanned.

One way that does work is manually adding a path in the exclusions - although this works, I would rather not have to add in every single path to every directory that possibly holds the aforementioned files (this would be over 50 paths at present and will change fairly often)

I'm not sure if I'm doing something wrong here - should the extensions editor work in the way I have described? The end result is I never want the files with these extensions scanned, regardless of location, and it seems strange to have to specify a path to exclude rather than simply by extension...

Hope someone can shed some light here, thanks for your time.

[RyanW]

I'm having the same problem. I can't exclude *.ext.

[Marcos]

How do you know that files with those extensions are actually scanned?
Try the following:
- disable real-time and web protection
- download the eicar test file
- rename its extension to one you excluded
- enable real-time/web protection
- access the eicar test file or scan it with the on-demand scanner

[Marcos]

How do you know the files are scanned in spite of being excluded? Have you tried downloading the eicar test file with real-time and web protection disabled, renaming its extension to one you excluded and scanning it?

[RyanW]

I excluded *.mdb, and then openened an MDB I had and saw that NOD32 had scanned it (it was the last item to be scanned under "statistics")

Also, exclusions such as *.mdb* entered into ERAC never trickle down to the clients. Where exclusions like C:\temp\*.* do.

[Marcos]

Quote:

Originally Posted by RyanW

I excluded *.mdb, and then openened an MDB I had and saw that NOD32 had scanned it (it was the last item to be scanned under "statistics")

You're referring to a feature showing the last file "flowing" through a scanner, it does not necessarily mean it's actually scanned.

Quote:

Also, exclusions such as *.mdb* entered into ERAC never trickle down to the clients. Where exclusions like C:\temp\*.* do.

I wonder if you could provide an example of such a setting from an xml file. Basically you should add the "mdb" extension to the list of extensions of files excluded from scanning.

[Humperdink]

Thanks for the reply Marcos, I was thinking that the files were being scanned due to them being in the 'Object last scanned' are in the statistics window.

I've run the tests with the Eicar test file and am happy with the results, thanks for your help.

[rcdailey]

Quote:

Originally Posted by Marcos

You're referring to a feature showing the last file "flowing" through a scanner, it does not necessarily mean it's actually scanned.


I wonder if you could provide an example of such a setting from an xml file. Basically you should add the "mdb" extension to the list of extensions of files excluded from scanning.

Marcos,

If you don't use a wildcard mask (*.ext), but just enter the extension (.ext), what is the difference in the effect? I have not needed to use the extension exclusion feature, but this thread made me curious about it.

[RyanW]

Quote:

Originally Posted by Marcos

I wonder if you could provide an example of such a setting from an xml file. Basically you should add the "mdb" extension to the list of extensions of files excluded from scanning.

So it shouldn't be *.mdb, just mdb? The ERAC console just lets me select "as folder" or "as file" and the input box is called "New item", nothing tells me proper syntax?

- <NODE NAME="Exclusions" TYPE="SUBNODE">
- <NODE NAME="Exclusion" TYPE="SUBNODE" DELETE="0">
<NODE NAME="FullPath" TYPE="STRING" VALUE="C:\Temp\*.*" />
<NODE NAME="Infiltration" TYPE="STRING" VALUE="" />
</NODE>
- <NODE NAME="Exclusion" TYPE="SUBNODE" DELETE="0">
<NODE NAME="FullPath" TYPE="STRING" VALUE="*.mdb" />
<NODE NAME="Infiltration" TYPE="STRING" VALUE="" />
</NODE>
</NODE>


This was exported out of ERAC. The C:\temp\*.* makes it to the NOD32 clients, but *.mdb does not.

[toxinon12345]

Extracted from help file

Quote:

Extension format


The extension you are adding may not contain any of the following characters: < > : / \ | " . ; or a space.


When adding an extension, characters known as wildcards can be used to create an extension mask. An extension mask is a string used to generate an output range of file extensions.


Using wildcards to define extension masks:


* - An asterisk (*)
- denotes any number of any characters; meaning it is in effect always until the end of the string. Thus, D* means you are selecting all files of any name that have an extension starting with the “D” letter followed by any combination of characters. If you enter D*T into the Extension: field it will have precisely the same effect as the D* entry.

? – A question mark (?)
- denotes any single character. If you enter D?T into the Extension: field it will denote any extension starting with a D and ending with a T letter with any character in the middle of the string (e.g. DOT, DAT, DLT etc.).


NOTE: Make sure you enter only file extensions/extension masks and not whole file masks (e.g. *.DAT) into the Extension: field.

[Marcos]

Instead of adding *.mdb to the exlusion list (which effectively excludes mdb files in the root folder of drives), add the mdb extension to the list of extensions excluded from scanning for each of the modules. In an xml file, you should have something like this for every module (real-time, web protection, on-demand scanner, etc.):
<NODE NAME="ExcludeExtensions" VALUE="|MDB|" TYPE="STRING" />

[RyanW]

Quote:

Originally Posted by Marcos

Instead of adding *.mdb to the exlusion list (which effectively excludes mdb files in the root folder of drives), add the mdb extension to the list of extensions excluded from scanning for each of the modules. In an xml file, you should have something like this for every module (real-time, web protection, on-demand scanner, etc.):
<NODE NAME="ExcludeExtensions" VALUE="|MDB|" TYPE="STRING" />

I don't see a section to exclude mdb from real time scanning. Just on Demand Scanning.

The only ocurrence of the word "real" in the policy editor is to ask if you want real-time file system protection startup.

[rcdailey]

Quote:

Originally Posted by RyanW

I don't see a section to exclude mdb from real time scanning. Just on Demand Scanning.

The only ocurrence of the word "real" in the policy editor is to ask if you want real-time file system protection startup.

There is a place to enter entensions to be excluded in the Threatsense setup. Maybe that would work?

As I have posted, I do not have a need to exclude certain extensions, though after my post about that, I did find a need to exclude an entire folder from scanning. That accomplished what I needed to do, but it's not the solution for you, I think.