SYSTEM-WIDE exclude specific files from real-time scanning

Discussion in 'ESET Smart Security' started by Nyrk and Naxr, Apr 26, 2010.

Thread Status:
Not open for further replies.
  1. Nyrk and Naxr

    Nyrk and Naxr Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    18
    ESS 'swallows' some specific files with the 'probably a variant of Win32/IRCBot trojan' reason!

    I know that these files are 100% trusted!

    Everytime I want to move these files from one location to another (external HDD for example) I need to disable AV protection or restore them from the quarantine!

    If I run them from a path that is not added to the exclusion list they get stopped by ESS!!!

    In the exclusion list you need to add a specific (complete) path but I wonder if there is a way that I could exclude specific files SYSTEM-WIDE from real-time scanning?

    After all if I establish that it is safe to run a certain file from a specific path, why would it be unsafe to run the exact same file from a different path?

    It would be soooooo nice to have a simple 'Ignore List' in ESS.... or even easier (from Quarantine) the option to right-click on a file and exclude it... Obviously from any location on all local drives!!!

    Anybody can suggest a solution? Maybe an 'All-paths' wildcard :D would do?

    Tnx in advance :D
     
  2. BFG

    BFG Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    482
    Location:
    San Diego
    Hello Nyrk and Naxr,

    Does ESET agree with you that they are "100% trusted!"?

    Follow the steps listed in this article to have the lab take a look at them. If this is a false positive and they are actually benign they will be removed from the database.

    BFG
     
  3. Nyrk and Naxr

    Nyrk and Naxr Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    18
    Many thanks for your kind reply, BFG.

    Please note the following:

    1. As you know if a specific (complete) path is typed in, any file can be added to the 'Exclusions' with ESET 'looking the other way'. Now, if ESS permits a user to run a certain file from a specific designated path why does it not make it easier for the user to run the exact same file from a different path (or from all local disks)? If I would want to waste an hour (per each file) I could add to 'Exclusions' all the complete paths where one of these files could potentially land, so I would reach the same effect... This seems to be a plain and simple shortcoming of ESS... Not being user-friendly on that front.

    2. It would be pointless to send any file to ESET to ascertain that they are false positives and that they are actually benign because the files I am talking about are created by myself and I can assure you that I am not a trojan or virus developer. During the process of sandboxing/virtualizing an application (a perfectly legitimate one) some executables are created. Some of these .exe files (which are nothing else than stubs of the main executable) are the ones I am referring to. How on earth could they possibly be trojans? Beside that, I do not see it feasible, every time that I portabilize an application to carry out the procedure of sending stubs to ESET for analysis, it would just be too time consuming!

    Bottom line, I would hope that there is a more quick and easy solution which -for once- sees a user telling a program what to do and not the other way around... If you see what I mean.

    Enjoy a sunny day in San Diego ;)
     
  4. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, see... similar kind of whitelisting would at minimum require valid digital signature and checksum to match, otherwise, you just wide open doors to malware. Also, if NOD32 is tagging your own executables as malware, why don't you submit those to ESET as false positives? How are they tagged? Are you using any "well-known" packers or something?
     
  5. Nyrk and Naxr

    Nyrk and Naxr Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    18
    Hello doktornotor,

    What do you mean with 'you just wide open doors to malware.'?

    Did you read this part from my post above?

    "... As you know if a specific (complete) path is typed in, any file can be added to the 'Exclusions' with ESET 'looking the other way'. Now, if ESS permits a user to run a certain file from a specific designated path why does it not make it easier for the user to run the exact same file from a different path (or from all local disks)?..."

    What is your answer to that?

    I am using 'VMware ThinApp'... Are you saying that I should digitally sign each stubs?!?!?! Are you familiar with VMware ThinApp?

    Thanks in advance for your valuable insight ;)
     
  6. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Yeah, exact same file is the issue here. To know that it's exact same file, you need to check it somehow. Allowing file named foo.exe to run from everywhere without any checking whatsoever just because you've excluded it in certain folder and it's called the same otherwise is plain stupid.

    And once again, what's exactly your trouble with sending those alleged false positives to ESET so that they can fix them?
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd strongly recommend submitting those files to ESET as it's been advised above. This way ESET can analyze them and remove detection if they are actually benign and only have certain characteristics of malware which can be the only reason why they are detected.
     
  8. Nyrk and Naxr

    Nyrk and Naxr Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    18
    Sorry pal, with all good intentions to follow whatever is that you are trying to say I really do not understand what you mean.

    I'll try to describe the situation in an easier way (step-by-step): Hopefully this will make things clearer.

    1. I take a known application, say Notepad++
    2. I virtualize it using VMware ThinApp (you did not answer my earlier question so I do not know if you are familiar with VMware)
    3. Upon launching the virtualized app the 'Data' folder is generated in the same directory of Notepad.exe
    4. Inside the 'Data' folder another sub-folder is created with stubs of Notepad.exe
    5. One of these stubs (let's call it 'XYZ.exe') is the 'suspicious' file
    6. Assuming that ESS moves it to quarantine because it is probably a variant of Win32/IRCBot trojan
    7. I disassemble that file to analyze it and once I see no anomalies I add its complete path to ESS Exclusions
    8. ESS now leaves that file in peace.... I guess you are still following, right? NOW, here it comes the fun...
    9. I take my virtualized 'Notepad++' folder which also contains THE EXACT SAME 'XYZ.exe' file (you agree with me that it is the same file right?) and copy it to an external HDD where I keep a backup copy all the apps I portabilize.
    10. During the file transfer ESS eats up the 'XYZ.exe' file because it appears at a different location than the one indicated in 'Exclusions'.
    11. Or (a similar scenario) if I launch Notepad++ from a different location on the same system ESS eats up the 'XYZ.exe' file as soon as it gets created because (again) it appears at a different location than the one indicated in 'Exclusions'.
    12. If I could add a system-wide exclusion for the 'XYZ.exe' file the annoying things described in point 10 and 11 would NOT happen. Do you concur?

    I hope that the situation is now clearer to you.

    Sorry, did you just say that I did not check anything? Why did you assume that? What (or who) is plain stupid? Jumping to conclusions, beside not helping at all my problem, makes you (certainly a competent and kind person) appear unfriendly... Probably you should consider adopting a less impulsive attitude, you will benefit from it in the long run, trust me ;)

    Believe it or not I run some 250 (selected) applications on my system and a good 85% of them are portable. These are only the selected ones, but it is fair to say that I portabilize an average of 50 apps a week, do you have any idea how much time I would have to invest to report all the false positives I come across to ESET?!?!

    And also what purpose is that going to serve? Bearing in mind that 'XYZ.exe' is WITHOUT ANY DOUBT a trusted file and -LAST BUT NOT LEAST- that the same portabilized Notepad++ launched on your system will generate an 'XYZ.exe' file which is totally different in structure from mine. So why waste ESET lab time and my time?

    If anybody has constructive ideas please come forward: I would greatly appreciate any sensible suggestions.

    Thanks in advance ;)
     
  9. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    do you need to run AV on a machine you develop? Maybe zip the file before transfer (set Eset not to check archives). Or set Eset not to check temp folders (but then you don't need an AV)
     
  10. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Believe it or not, I have tons of apps on my system, yet have to hit such massive problems with false positives. You must be doing something very special, or - better said - something wrong.

    Pretty much as said above - uninstall the antivirus if you can't report false positives nor fix your programming practices so that they don't trigger false (?) AV alert on every other application you produce. Also, kinda avades me what purpose does "portabilizing" applications in a way that makes antivirus programs go mad serve - who's gonna use such stuff?

    o_O o_O o_O
     
  11. Nyrk and Naxr

    Nyrk and Naxr Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    18
    Hello Marcos,

    Many thanks for your recommendation but as you can read in my previous post [# 8] it seems kind of pointless (and greatly time consuming), plus I have no idea how long time will take for ESET lab to analyze my files and issue a relevant definition which would whitelist them.

    Having the honor to correspond with an Eset Moderator I wonder if you can help me otherwise... And now I must apologize for repeating once more my plead... (here it goes)... Is there a way in ESS to actually exclude specific files SYSTEM-WIDE from real-time scanning? A sort of an 'Ignore List' which I could use to instruct ESS which files to leave in peace regardless of their path on all local drives in my system ;)

    Tnx in advance for your kind support
     
  12. Nyrk and Naxr

    Nyrk and Naxr Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    18
    What I do Cudni is to disable ESS AV while I transfer the files to the Ext. HDD (I must admit that often I forget to do that and I have to go and fish files out of quarantine :D). The problem is when (in some rare cases) ESS eats up stubs which are 100% safe and also necessary for some applications to run properly.

    I definitely do need an AV, but one that is user friendly on the front of exclusions too... Are you guys all pretty familiar with ESS, how come nobody replies to my original question? Does ESS actually offer the option to exclude specific files SYSTEM-WIDE from real-time scanning, or not?

    Tnx
     
  13. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Uh... can we get some common sense back here?

    1/ Portable apps are supposed to be, erm... portable? So that you can take them to pretty much any computer out there and as long as the OS is supported, they run there w/o any need for install.

    2/ Now, most computers out there will have some form of an antivirus installed.

    3/ So, you go, plug your USB stick into the box, try to run the app and it immediately gets eaten by some AV that's installed there.

    4/ The use for such portable apps is exactly what? o_O :rolleyes:

    See

    - either NOD32 is seriously broken and is the only thing in the world that happens to detect your special portable apps as malicious and in that case I'd again urge you to finally submit those 100% safe samples to ESET so that they can fix their broken antivirus

    - or you produce things that make most AVs out there go haywire; in that case I kinda don't see the use case for such stuff and you'd better start doing things in a normal way.

    What kind of mysterious stubbs are you referring to here that are detected alone but not when they are part of bigger EXE?
     
  14. Nyrk and Naxr

    Nyrk and Naxr Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    18
    Sorry doktornotor, in my previous post I addressed you as a competent and kind person: I was obviously wrong as both attributes are definitely not suitable for you.

    I also see that -beside not following my friendly advice to behave nicely- you continue jumping to conclusions and by doing so you pollute my thread and waste everybody's time.

    So rather than continuing offending/belittling people that you don't even know why don't you go back to your tons of apps and do something useful there? If you read the previous posts you can see that you are not being constructive nor creative... Actually right now there are many other attributes that I can think of but 'helpful' is certainly NOT one of them! Time for you to move on to a different hobby maybe? Whatever "avades me" means :D

    Please do not be offended doktornotor if I will ignore (and do not reply to) your future posts.... An 'Ignore List' could come handy in this thread too, not only in ESS... lol
     
    Last edited: Apr 26, 2010
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Surely this discussion takes far longer than it would take to analyze the files by ESET and make the necessary fix if the files are actually benign. Submitting files to ESET is the only way how to evade detection regardless of the location of the files.

    As it's been already suggested, submit those files per the instructions above and use "False positive" followed by the url to this thread in the subject. Also explain the purpose of the files which will help for analysis.
     
  16. Nodrog

    Nodrog Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    56
    Location:
    UK
    This looked like an honest question that seems to have turned into something of a put down. Sorry but go and let me ask a very simple and basic question that does not require anyone to ask why or state you are doing it wrong...

    I have a folder containing files that I do not want ESET to scan
    The folder could be on any drive, removable or otherwise

    How do you do it please??

    cheers



    e.g. just in case this isn't clear enough; McAfee, for example, if you enter "Exchsrv" as an exclude will exclude all Exchsrv folders and their contents, working directories and log files anywhere on the server across all of the created partitions and drives without you having to go and find them all.
     
  17. Nyrk and Naxr

    Nyrk and Naxr Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    18
    Hello Nodrog and welcome,

    Thanks for joining this 'wonderful' thread!

    Beside somebody who evidently likes to play the forum clown and devoted some time to hijack focus with his off-topic nonsense, the content of almost every post on this thread sounds like a broken record!

    Including my own posts actually... I had to repeat my original question over and over again since nobody bothered to answer it.

    Apparently this is how it works on some fora:

    A person who needs some technical support takes the time to make an account, then writes a first post describing the situation and then the majority of the replies he/she gets are containing things like: "But why would you want to do that?" or state the ABSOLUTE obvious that any ABSOLUTE beginner would already know... Or are simply a boring reiteration of the exact same text of the first 20 posts! Sometimes I ask myself the typical 'Why bother to start a thread?' question!

    Basically, instead of answering the original question, people like to ask you other (irrelevant) questions and love to jump to conclusions shifting the thread focus to a subject that interests nobody ... So any (serious) reader of the thread has to waste his/her time reading through all the BS and the polemics (generated by the thread polluters) before getting (eventually) to the actual point.

    The title of my thread is: 'SYSTEM-WIDE exclude specific files from real-time scanning'

    But most of the posts here are parroting the same recommendation (submit to ESET-submit to ESET-submit to ESET-submit to ESET and so on) or, since doknosferatu found talking about my portabilized applications much more amusing than giving a straight answer, maybe I should change the title of the thead and call it 'When you ASSUME (jump to conclusions) you make an ~Phrase removed~ '

    Back to your question Nodrog: McAfee, like some other Security Suites, offers the user the option to 'SYSTEM-WIDE' exclude a folder/file regardless of its path on all local drives... ESS apparently does NOT offer that opportunity... Unless somebody here would like to finally enlighten us.

    I also often UPX-compress .exe and .dll files and apparently this is another thing that triggers ESET false positives alerts... If nobody comes up with a concrete solution to 'SYSTEM-WIDE' exclude a specific file in ESS, I fear that I will dump ESET and choose a more user-friendly Security Suite!

    Anybody?
     
    Last edited by a moderator: Apr 27, 2010
  18. Nodrog

    Nodrog Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    56
    Location:
    UK
    Hello Nyrk and Naxr

    I hope you don't think I was trying to hijack your thread, I was actually trying to back you up because, quite frankly, you were getting the run around.

    My question was/is exactly the same as yours - which is how do you put exclusions in with wildcard routes... wether its the same folder in any drive\path or the same file name anywhere on the disk, same goal... and I'm sorry people, but this is a reasonably obvious question (the Exchange example being a classic).

    As we both tried to say, it's got nothing to do with why... I just need to do it... simple.

    Maybe in version 5 eh?

    best of luck
     
    Last edited: Apr 27, 2010
  19. Nyrk and Naxr

    Nyrk and Naxr Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    18
    Hello Nodrog,

    No, I absolutely did not think that: I was actually happy you did join the thread! I'm only sorry that both you and I are left empty-handed staring at each other.

    As you might have noticed my last (visible) post got censored and you should know that I posted again and my last (invisible) post got entirely deleted... So much for freedom of speech!

    Anyway, since on this forum I seem to get nothing but 'the run around' as you very well put it, I guess that I should move on to a more creative area were fellow members do actually provide constructive answers and the mods do moderate!

    Good luck to you too, pal
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The only possible solution has already been advised. I can only repeat it - if you suspect a file is flagged incorrectly as a threat and you want to make it undetected regardless of its location, the only way how to accomplish this is to submit the file to ESET and, if it's really a FP, detection will be removed.
     
  21. Nyrk and Naxr

    Nyrk and Naxr Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    18
    So (finally) at post number 20 we got a winner!!!

    Marcos with his "...The only possible solution..." and "...the only way how to accomplish this..." covertly confirmed that:

    Unlike other Security Suites ESET does NOT offer the user the straightforward option to 'SYSTEM-WIDE' exclude a folder/file regardless of its path on all local drives!

    In other words, somebody buys a software and then if he/she decides to UPX-compress a (perfectly harmless) file or thinstall a legitimate application, in order to freely use it on his/her computer, he/she must fulfill a protocol procedure to ask the developer to analyze it and consequently issue a specific definition to (hopefully) 'bypass' the detection of that file!!!

    :thumbd: :thumbd: :thumbd: Good-bye ESS :thumbd: :thumbd: :thumbd:

    See you again, whenever in a future version you might decide to learn the spelling of the word 'USER-FRIENDLY'.

    Over and out
     
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's so for security reasons, exclusions based on the file name are dangerous. Imagine one would exclude, let's say, svchost.exe regardless of its location. Since it's a usual name used by various threats, the user would remove all such files from detection and let the computer get infected easily.
     
  23. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    And those other are?
     
  24. Nyrk and Naxr

    Nyrk and Naxr Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    18
    Hello Marcos,

    Well, let me start by saying that that user who (is so utterly dumb and) 'system-wide' excludes 'svchost.exe' deserves to get his/her computer infected!

    Let's be realistic, to add specific files to 'Exclusions' it's a function that only 'medium-advanced' users would 'play' with... I sincerely doubt that beginners would venture in that section of an AV application... Bearing that in mind, ESET could have (at the very least) offered the 'Exclude on all local drives' sub-option in the already 'option-rich' Advanced Setup and you can rest assured that several power-users would have been VERY grateful for that.

    After all there are already plenty of other options which the 'clickaholic beginners' should better stay clear of, so for the same 'security reasons' ESET should remove also these options from the Advanced Setup?

    Another consideration: ESS offers the (very nice) option to toggle between 'Standard Mode' and 'Advanced Mode', right?

    In 'Standard Mode' (unless my memory fails) a user cannot even access 'Exclusions' so I would ASSume (LOL -I might get censored again here- LOL) that in the 'Advanced Mode' ESET addresses advanced/power-users... Well, these users would surely want to have the 'Exclude on all local drives' sub-option! And these users would definitely know the pros & cons of carelessly using that sub-option!

    If I want to system-wide exclude a file by its name I will make damn sure that the name is not svchost.exe!!!

    Unfortunately after the very sad events that we all know about the 'it's so for security reasons' expression seems to have acquired an overly magnified power and most people, when confronted with that phrase, seem to forget that they have a brain and that they can still think with it.

    Not always 'it's SO for security reasons' means that 'SO' is the safest and the only option!

    For 'security reasons' I have been confiscated a pair of tweezers at a known airline check-in counter and when (at cruising altitude) the meal was served, the stainless steel cutlery on the Business Class meal trays included knives and forks!!! What is that BS? Maybe the airline thought that a pair of tweezers would be more dangerous than a steel fork or a knife? Or maybe they thought that terrorists could not afford the Business Class fare?!?!

    Sorry but the 'it's so for security reasons' just isn't good enough! If I buy a software I want to make sure that I have as much control as possible over it without having to engage into roundabout (and probably lengthy) protocol and correspondence with the developer!

    Marcos, thanks anyway for your patience, your additional clarifications, for having created the opportunity for me to write this long post and for the time you invested reading it... I sincerely hope that you will be able to convey my message to your ESET pals because I am confident that ESS is one of the best Security Suite available and I would gladly reconsider using it if the spectrum of options would include more flexibility in the 'Exclusions' section.

    Have a good day :)
     
  25. Nyrk and Naxr

    Nyrk and Naxr Registered Member

    Joined:
    Apr 26, 2010
    Posts:
    18
    Well, if you read the last section of post #16 you can already see one (courtesy of Nodrog) and for the rest... Google is your friend ;)

    If you -like me- enjoy the many other great features of ESS, join me and forward your request to ESET to add more flexibility to the Advanced Mode/Setup... You never know, they might listen!

    Sorry gotta go now... I have to deal with some more false positives ;)
     
Thread Status:
Not open for further replies.