Exclusions questions

I've been sitting on hold for nearly 40 minutes with Eset support. I figure I might get a faster response here.

Is there any good documentation on configuring exclusions via the Remote Administrator?

If I want to exclude all .mdf files do I do a *.mdf or .mdf? I figure *.mdf makes more sense but I just want to be sure.

Second, if I want to follow Microsoft's recommendations on exclusions (http://support.microsoft.com/kb/822158) does NOD32 recognize variables like %windir% and %systemroot%?? Is there a list of variables that I can use for exclusions?

One other question not related directly to exclusions but is there any best practices for managing the packages? I was thinking that I would need to create separate packages with configurations specific for certain servers like Citrix, SQL, etc with different exclusions. Is it a problem to put all the exclusions even if they don't really apply to the server that NOD32 is installed on? For example, if I put an exclusion to not scan C:\Program Files\SpecialProgram but the folder doesn't exist on most of my servers will any errors be generated or will NOD32 just ignore it?

If I can put all the exclusions in every package, then I'm thinking the only thing I'll need to do is have two packages. One for PCs that I can scan during the day (since most users turn off their PCs at night) and one for everything else that gets scanned in the wee hours of the morning.

Any recommendations?

 

From the Help File:
Exclusion format
When configuring exclusions in the resident scanner, special symbols – wildcards, such as “*” and “?” can be used.

Examples:
- If you wish to exclude all files in a folder, type the path to the folder and use the mask “*.*”.
- If you want to exclude doc files only, use the mask“*.doc“.
- If the name of an executable file has a certain number of characters (and characters vary) and you only know the first one for sure (say “D”), use the following format: “D?.exe”. Question marks replace the missing (unknown) characters.
----------
As far as using System Variables, I don't know, good question. I don't personally follow MS's recommendation on this, and I've not run into any issues. I do follow Eset's recommendation and have exclusions between AMON/XMON on my Exchange server:

• Excluding Exchange files from resident protection scanning
XMON scans e-mail messages stored in the MS Exchange
Server storage. This storage is saved on the server
file system as a single file and using non-standard settings
in AMON (on-access scanner) while running on the
same server, might lead to a collision between XMON and
AMON. To avoid the collision make sure that the AMON
module is not set to scan .EDB, .TMP and .EML file types.
By default, the mentioned extensions are excluded
from scanning. It is also recommended to exclude from
scanning directories containing following files and directories:
%ProgramFiles%\Exchsrvr\MDBData\
%ProgramFiles%\Exchsrvr\Mtadata\
%ProgramFiles%\Exchsrvr\Server_Name.log
%ProgramFiles%\Exchsrvr\Mailroot
%ProgramFiles%\Exchsrvr\Srsdata
%SystemRoot%\System32\Inetsrv
%ProgramFiles%\Exchsrvr\IMCData

(This makes me believe System Variables are okay to use, but I still use an absolute path in my config.)
------------

And about having Exclusion entries for folders that do not exist, I've not had a problem doing this in the past. However my chosen method is to use one base installation package that will install on everything, then push the specialized configurations out once they check in with RA. I maintain the configuration files separately anyway, and this way I don't have to update dozens of packages when there's an upgrade or config change. This is more for security/paranoia as the more exclusions there are the better the odds that something will come along and exploit that exclusion, so no exclusions unless there have to be.

I've also found it easier to teach my users to leave their workstations on at night than to deal with their incessant bickering. That way, all scans, updates, etc. can be handled without interruption.

 

Thanks for the reply. We're not running Exchange.

I ran into an issue where my exclusions weren't being taken by a particular client. Then after 20 mins of talking to ESET support I discovered that what I really wanted was EXTENSIONS and not EXCLUSIONS to exclude things like *.ndf, *.ldf, etc.

Thanks.

 

Another question about exclusions. If I exclude a directory (e.g. c:\windows\sysvol\*.*) does that also exclude all subdirectories? Or more specifically how do I exclude a directory and all subdirectories and how do I just exclude a specific directory?

 

Yes, this will exclude also all subdirectories. A specific directory can be excluded by entering the exact path to it in the exclusion pane.

 

There is a radio button choice there....to exclude subfolders...or not. Depends which choice you've selected.

 

How should i do to only exclude folders from realtime protection but not on-demand scan ?

 

Done within AMON.