SYSTEM-WIDE exclude specific files from real-time scanning

Discussion in 'ESET Smart Security' started by Nyrk and Naxr, Apr 26, 2010.

Thread Status:
Not open for further replies.
  1. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    ESET will never implement something that might jeopardize the safety of our customers. It's not only about svchost or other system files, there are plenty of other situations when this would lead to infection.

    As I have already written, if one presumes a file is flagged incorrectly as a threat and needs to remove detection completely on any machine / location, the only way to accomplish this is by submitting the file to ESET.
     
  2. Nyrk and Naxr

    Nyrk and Naxr Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    18
    BS!!! 'ThreatSense engine parameter setup' alone offers plenty of opportunities to any 'happy-clicker' to get in big trouble not to mention the GUI geeky terminology, which would make even more experienced users doubt whether the right boxes have been selected during configuration. Could that not lead to infection?!?!

    You sound just like the airline guy who confiscated my tweezers and did not realize that steel forks and knives were readily available on board!

    From the obstinacy that I detect in your replies I fear that you might not be the most suitable 'messenger' (no offense) to convey some important concepts I expressed in earlier posts, would you be so kind to provide me (via PM if you do not feel like being too public) with a couple of email addresses, which I can use to reach somebody who is willing to listen at ESET?

    Thanks in advance, and YES, I did notice that you recommended 'once or twice' to submit the file to ESET ;)
     
  3. Nodrog

    Nodrog Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    56
    Location:
    UK
    Listen folks this is getting pathetically ridiculous.

    To be honest, I've not looked at the Business edition so apologies if you can wild card exceptions in there.

    Real world runtime systems do not always work well with AV systems because, quite frankly the AV can potentially cause a denial of service on the underlying application.

    The example I quoted which should have been the real give away was Exchange. If you scan all of its working folders; 1 you will impact on performance, and 2, if you actually quarantine any files you will quite possibly knack the databases. Been there, done that, got the tea shirt!

    Thats why you exclude a whole series of folders and files (please google all of the Microsoft articles before you think about this one) and then add an inline AV client if required.

    The McAfee example I gave previously would be Virusscan Enterprise on the server but excluding the stack of recommended exceptions for Exchange, but install Groupshield within the message flow somwhere (either the transport server or message store... or gateway relay if you have one of those).

    If no one can see any merit in wildcards in exclusions then so be it... that's obviously the answer. But sometimes we ask things that are actually usefull in the real world... and done by other vendors.

    cheers all

    Nodrog CEH, CHFI, CISSP
     
  4. IcePanther

    IcePanther Registered Member

    Joined:
    May 28, 2005
    Posts:
    308
    Location:
    (nearby) Paris, France
    Hi,

    Certain vendors also create "checksum rules", that are path-independent but identify the file by its MD5 (not-that-secure because of collisions), or SHA1 checksum + filename duet. This allows for system-wide exclusion, while remaining quite secure, since it identifies the file contents and not only filename. It can even be seen as more secure if you consider a file infector (quite rare nowadays but still) that would modify the excluded file (even with an absolute path) but also its checksum and hence make the exclusion invalid.

    In fact, I would be quite uncomfortable if the existing exclusion system in ESS or other security software did not contain a checksum verification for excluded files, because then it would be a serious vunlerability (infectors, trjoans that try to replace commonly excluded files such as svchost...). But I digress.

    I remember that SSM (which, admittedly, was an HIPS) used to have such a feature.
    It is also one method of real-time scanning optimization used by Kaspersky's home products (named iChecker if I'm not mistaken) to avoid re-scanning a file when it's moved along the filesystem.

    I guess the backdraw is the time it takes to compute file checksum, especially for huge files, but it doesn't compromise security yet allows for more flexible exceptions.
     
  5. Nyrk and Naxr

    Nyrk and Naxr Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    18
    Guess what?

    I have taken a bunch of these 'suspicious' files, zipped them and mailed to ESET with a small description.

    Not 3 days later ESET replied confirming that all files were benign and the relevant definition has been already released to exclude them from being detected!

    All works fine now!

    I do not understand why you guys did not suggest me (not even a hint) to submit the files to ESET in the first place!!! It was so easy.

    Case closed!
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    It was actually suggested in the first reply to your post as well as in several futher replies from other members, including me :) I assume those 3 days include the weekend, usually you should get a reply from the viruslab faster.
     
  7. Nyrk and Naxr

    Nyrk and Naxr Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    18
    Really?!?!? lol
     
  8. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Oh really... Like:

    and

    and

    and

    and

    and

    and

    and

    So, if I can count correctly - you have been suggested no less than eight (!!!!) times to submit the false positives to ESET.

    T3h sigh. What a waste of time - yours and of other people. :cautious:
     
  9. Nyrk and Naxr

    Nyrk and Naxr Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    18
    You know how to count up to eight?!?! But that is truly A-M-A-Z-I-N-G!!! Did you practice over the weekend?

    Since you evidently have such an extraordinary sense of humor and so much free time (you xxxxxxx!) I am glad that I wasted some of your time you xxxxxxxx and also xxxxx and xxxx (that's the great thing about 'censor-free attributes'.... they can't be deleted by any mods because they look like a bunch of xxxxxxx but you can easily imagine what they mean... wait -I need to rephrase it- xxxxxx, xxxxx xx xxxx xxxx xx, xxx xxxxxxxxx xxxxxx, clearer now?).

    Out of here.

    It was nice meeting (some of) you!

    N&N
     
  10. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Bye. :cautious:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.