Scan Engine 5.2 - specific file exclusions (not file extensions or type)
Created: 13 Mar 2012 | 13 comments
Hello all,
Is there a way to exclude a specific file name from being scanned in Scan Engine 5.2.5.43 (RPC to NetApp NAS - Bloodhound set to Medium)?
Our situation is that Scan Engine is sending traps out about a possible virus when there isn't one. The file is an executable (filename.exe for example) and is clean. Our workstations are running SEP 12.1 RU1 and we had to create an exception for this.
I found under "Policies > Files to Scan" where I may exclude extensions or file types, but it doesn't make sense to exclude all EXE's.
Is this possible? Any help would be appreciated.
Thanks.
Discussion Filed Under:
Comments 13 Comments • Jump to latest comment
What is the error you see int he Scan Engine log when it scans this .exe?
THANKS for the quick reply!
productTrapData = CIFS: Possible Virus Detected - File ONTAP_ADMIN$\vol\xxx\RADMIN22.EXE in share NAME accessed by client x.x.x.x (CLIENT) running as user user.name may be infected. The filer received status message Infection found, repair failed and error code [0x5] from vscan (anti-virus) server x.x.x.x
That is from the NetApp logs. You need to log into the Scan Engine and run a Detailed Report for the time period and post the error listed for the file.
Sorry about that.
Mon Mar 12 14:06:36 MDT 2012, A security risk has been found Event Severity Level : Warning Scan Rule : Repair Security Risks File name : \\?\UNC\X.X.X.X\ONTAP_ADMIN$\vol\XXX\RADMIN22.EXE File status : NOT REPAIRED Component name : RADMIN22.EXE Security Risk Name : Remacc.Radmin Security Risk ID : 4294906186 Security Risk Definitions : 20120312.003 Client SID : S-1-5-21-1088106710-2582851208-3103400131-1510 Client Computer : NAME Client IP : X.X.X.X Scan Duration (sec) : 0.047 Connect Duration (sec) : 0.047 Scan Engine IP address : X.X.X.X Scan Engine Port number : 0 Uptime (in seconds) : 440606
You may be able to stop this detection by adjusting the policy of the Scan Engine. In Policies -> Scanning -> Security Risk Scanning. I suspect it will fall under spyware or Other risks.
Security Risk Scanning threats are not classified as viruses so any actuall viruses would still be caught.
I don't have a "Security Risk Scanning" option. We are using the RPC protocol, according to the documentation it should be available....
Attached is a screen shot for your reference.
You need to expand the view pane. You can click the arrow or drag it like you are resizing.
Sorry about the delay...
When I expand the screen, it just expands (screen shot attached).
I think what I'm getting from all of this is that ScanEngine is not able to exclude a specific file name. This is something I will have to work out with our storage group and just deal with the warnings.
Thank you for your time!
-David
You will need to upgrade to Scan Engine 5.2.11 to get this option.
Thanks for the responses...
We are currently at 5.2.5.43.
I think the options at this point are to deal with the warnings or work with our storage team about not delivering specific file names.
I'm pretty sure we will just deal with the warnings.
Thanks for all your input!
-David
I am bringing down 5.2.11 now and will modify to see if I'm able to eliminate the messages.
Thanks again!
Unfortuantly there is not a way to exculde specific files from being scanned with the scan engine. The Scan Engine is actually a very simple product that just waits for a scan request and scans the files requested or passed to it for scanning and returns a result to the client. Due to this exclusions are typically best handled by the client.
Thanks for the quick reply as well!
That is kinda' what I was thinking as I didn't see an option to identify files. I just wanted to make sure that there wasn't a config file that I missed to program it in.
Would you like to reply?
Login or Register to post your comment.