Ignoring Processes: A Must-Read for Symantec and Norton Antivirus Users
A feature in the SVS final release is the ability to configure SVS so certain applications running from the base cannot see virtualized applications. Jared Payne tells us how and when this is cool.
The final release of Software Virtualization Solution (SVS) includes a feature called Program Ignore. Program Ignore makes it possible for applications that are installed in the base to run and not see virtualized data. This feature is quite simple to use.
- Open regedit and go to HKLM\System\Altiris\FSL
- Create/Edit a new Multi-String Value named "ProgramIgnoreList"
- Enter the complete path for the executable that you want to ignore in "ProgramIgnoreList"
- Restart the computer (the ignore list is only read at system start up)
Antivirus software is one of the main reasons this feature was added. We recommend adding your antivirus scanner to ProgramIgnoreList. You only need to add the scanner executable to this list. It is important to note that SVS does not affect the run-time functionality of antivirus products. Files are scanned as they are opened and SVS does not interfere with this.
There are some other times when you might want an application to be ignored. One example could be an inventory program. If an inventory program sees a file twice (virtualized and unvirtualized), it may get counted twice. Whatever your reason for ignoring a program, this new SVS feature allows you to do it.
By the way, there are no security implications for ignoring an executable. The executable will not have any more access than it would if it could see virtual data.
About Endpoint Virtualization Community Blog
The Endpoint Virtualization Community Blog is the perfect place to share short, timely insights including product tips, news and other information relevant to the Endpoint Virtualization community. Any authenticated Connect member can contribute to this blog.
Comments
ProgramIgnoreList default entries
I didn't see anything about this in the documentation, but I do get the impression that the registry key(HKEY_LOCAL_MACHINE\SYSTEM\Altiris\FSL\ProgramignoreList) gets autopopulated. Can you shed some light on this?
You are correct
Yes, this gets autopopulated with some antivirus products that we know have a problem if they don't get ignored. What this means is that the AV products find the files in their physical location rather than the virtual location. (I.e., the files still get scanned correctly.)
---
Jeremy Hurren
Sr. Principal Software Engineer
Symantec Corp.
Does not work with cygwin
Too bad this does not work with cygwin at all. First of all it seems to be impossible to add every single cygwin binary to the ProgramIgnoreList, would be great if a directory can be masked.
On the other side it would be great if this would work at all, my tests did not show any differences to cygwin.
Until when will this be fixed?
Great Use For This
I see a great use for this when building a New Layer that is dependent on another Layered piece of software. For example, some of our custom-built in-house applications are dependent on IBM DB2 registered databases and we have built a layer for DB2. This would be helpful for that.
variables in path
Hiho,
can i use the svs environment variables like [_B_]PROGRAMFILES[_E_] ??
McAfee Programs to Ignore
Many thanks to Scott Jones for getting the low down on the McAfee program names to ignore.
C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\HtmlDlg.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
Ignore Processes for McAfee VirusScan Enterprise
When using McAfee VirusScan Enterprise, I'd recommend to further add the scan32.exe usually found in C:\Program Files\McAfee\VirusScan Enterprise to the Process Ignore List. The scan32.exe represents the On-demand scan.
Small Technical Question...
What's the limit of programs one can add to this list?
______________________________________________
Frank Bastiaens
Senior Technical Consultant
Vanderlet B.V.
______________________________________________
Frank Bastiaens
Senior Technical Consultant
Vanderlet B.V.
Are you talking about
Are you talking about numerical limits? You're limited to the size of the multi-string (in characters).
SVS it self doesn't have a limit that I'm aware of.
If a forum post solves your problem please flag is as the solution
But why?
Im missing a reason why i would have to ignore Symantic Antivirus ?
Which processes to exclude when using NIS 2009?
I'm using Norton Internet Security 2009. Which processes should be excluded (or how to find out)?
Am I fine when exluding the following?
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\navwnt.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\navw32.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
Is it possible to replace the version folder (16.2.0.7) through a variable?
Thanks
More McAfee Process Ignore Entries
[_B_]PROGRAMFILES[_E_]\McAfee\VirusScan Enterprise\scan32.exe
[_B_]PROGRAMFILES[_E_]\Network Associates\VirusScan\scan32.exe
[_B_]PROGRAMFILES[_E_]\Network Associates\VirusScan\mcshield.exe
[_B_]PROGRAMFILES[_E_]\McAfee\VirusScan Enterprise\mcshield.exe
Trend Micro Entries
[_B_]PROGRAMFILES[_E_]\Trend Micro\OfficeScan Client\NTRtScan.exe
[_B_]PROGRAMFILES[_E_]\Trend Micro\OfficeScan Client\tmlisten.exe
[_B_]PROGRAMFILES[_E_]\Trend Micro\OfficeScan Client\PccNT.exe
Why entries for mcshield.exe ?
Hi,
The documentation says that "SWV Agent does not affect the run-time protection feature of antivirus software" ... so the question is:
Why are you adding 'mcshield.exe' to this list?
Is not enough to have 'scan32.exe' in the list? (is the process that you launch manually for an on-demand scan)
Thanks.
Entries for SEP 12.1?
I have noticed that by default there is no Entries for 12.1. Only for 11.x (rtvscan.exe)
Is any Entries needed for SEP 12.1?
Regards
Christian Lund
I'm looking into this issue.
I'm looking into this issue.
If a forum post solves your problem please flag is as the solution
Would you like to reply?
Login or Register to post your comment.