Issue with Excluding files in V4

Discussion in 'ESET NOD32 Antivirus' started by Humperdink, Oct 6, 2010.

Thread Status:
Not open for further replies.
  1. Humperdink

    Humperdink Registered Member

    Joined:
    Oct 6, 2010
    Posts:
    2
    Hi,

    I'm having issues excluding files in NOD32 v4.2.64. We use several applications that use Paradox database tables, and I wish to exclude all .mb, .db and .lck files from being scanned.

    Initially I set the extension editor to scan all files, and added these extensions so they would not be scanned. This doesn't seem to work, so I tried unticking the scan all files box and ensured that these extensions were NOT in the list of files to scan - same issue, when running the program I can see the files being scanned.

    One way that does work is manually adding a path in the exclusions - although this works, I would rather not have to add in every single path to every directory that possibly holds the aforementioned files (this would be over 50 paths at present and will change fairly often)

    I'm not sure if I'm doing something wrong here - should the extensions editor work in the way I have described? The end result is I never want the files with these extensions scanned, regardless of location, and it seems strange to have to specify a path to exclude rather than simply by extension...

    Hope someone can shed some light here, thanks for your time.
     
  2. RyanW

    RyanW Registered Member

    Joined:
    Nov 9, 2009
    Posts:
    77
    I'm having the same problem. I can't exclude *.ext.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    How do you know that files with those extensions are actually scanned?
    Try the following:
    - disable real-time and web protection
    - download the eicar test file
    - rename its extension to one you excluded
    - enable real-time/web protection
    - access the eicar test file or scan it with the on-demand scanner
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    How do you know the files are scanned in spite of being excluded? Have you tried downloading the eicar test file with real-time and web protection disabled, renaming its extension to one you excluded and scanning it?
     
  5. RyanW

    RyanW Registered Member

    Joined:
    Nov 9, 2009
    Posts:
    77
    I excluded *.mdb, and then openened an MDB I had and saw that NOD32 had scanned it (it was the last item to be scanned under "statistics")

    Also, exclusions such as *.mdb* entered into ERAC never trickle down to the clients. Where exclusions like C:\temp\*.* do.
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You're referring to a feature showing the last file "flowing" through a scanner, it does not necessarily mean it's actually scanned.

    I wonder if you could provide an example of such a setting from an xml file. Basically you should add the "mdb" extension to the list of extensions of files excluded from scanning.
     
  7. Humperdink

    Humperdink Registered Member

    Joined:
    Oct 6, 2010
    Posts:
    2
    Thanks for the reply Marcos, I was thinking that the files were being scanned due to them being in the 'Object last scanned' are in the statistics window.

    I've run the tests with the Eicar test file and am happy with the results, thanks for your help.
     
  8. rcdailey

    rcdailey Registered Member

    Joined:
    Dec 25, 2009
    Posts:
    233

    Marcos,

    If you don't use a wildcard mask (*.ext), but just enter the extension (.ext), what is the difference in the effect? I have not needed to use the extension exclusion feature, but this thread made me curious about it.
     
  9. RyanW

    RyanW Registered Member

    Joined:
    Nov 9, 2009
    Posts:
    77
    So it shouldn't be *.mdb, just mdb? The ERAC console just lets me select "as folder" or "as file" and the input box is called "New item", nothing tells me proper syntax?

    - <NODE NAME="Exclusions" TYPE="SUBNODE">
    - <NODE NAME="Exclusion" TYPE="SUBNODE" DELETE="0">
    <NODE NAME="FullPath" TYPE="STRING" VALUE="C:\Temp\*.*" />
    <NODE NAME="Infiltration" TYPE="STRING" VALUE="" />
    </NODE>
    - <NODE NAME="Exclusion" TYPE="SUBNODE" DELETE="0">
    <NODE NAME="FullPath" TYPE="STRING" VALUE="*.mdb" />
    <NODE NAME="Infiltration" TYPE="STRING" VALUE="" />
    </NODE>
    </NODE>


    This was exported out of ERAC. The C:\temp\*.* makes it to the NOD32 clients, but *.mdb does not.
     
  10. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    Extracted from help file
     
    Last edited: Oct 12, 2010
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Instead of adding *.mdb to the exlusion list (which effectively excludes mdb files in the root folder of drives), add the mdb extension to the list of extensions excluded from scanning for each of the modules. In an xml file, you should have something like this for every module (real-time, web protection, on-demand scanner, etc.):
    <NODE NAME="ExcludeExtensions" VALUE="|MDB|" TYPE="STRING" />
     
  12. RyanW

    RyanW Registered Member

    Joined:
    Nov 9, 2009
    Posts:
    77

    I don't see a section to exclude mdb from real time scanning. Just on Demand Scanning.

    The only ocurrence of the word "real" in the policy editor is to ask if you want real-time file system protection startup.
     
  13. rcdailey

    rcdailey Registered Member

    Joined:
    Dec 25, 2009
    Posts:
    233
    There is a place to enter entensions to be excluded in the Threatsense setup. Maybe that would work?

    As I have posted, I do not have a need to exclude certain extensions, though after my post about that, I did find a need to exclude an entire folder from scanning. That accomplished what I needed to do, but it's not the solution for you, I think.
     
    Last edited: Oct 13, 2010
Thread Status:
Not open for further replies.