Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Scan Engine 5.2 - specific file exclusions (not file extensions or type)

Created: 13 Mar 2012 | 13 comments

Hello all,

Is there a way to exclude a specific file name from being scanned in Scan Engine 5.2.5.43 (RPC to NetApp NAS - Bloodhound set to Medium)?

Our situation is that Scan Engine is sending traps out about a possible virus when there isn't one.  The file is an executable (filename.exe for example) and is clean.  Our workstations are running SEP 12.1 RU1 and we had to create an exception for this.

I found under "Policies > Files to Scan" where I may exclude extensions or file types, but it doesn't make sense to exclude all EXE's.

Is this possible?  Any help would be appreciated.

Thanks.

Comments 13 CommentsJump to latest comment

TSE-JDavis's picture

What is the error you see int he Scan Engine log when it scans this .exe?

David Heinz's picture

THANKS for the quick reply!

productTrapData = CIFS: Possible Virus Detected - File ONTAP_ADMIN$\vol\xxx\RADMIN22.EXE in share NAME accessed by client x.x.x.x (CLIENT) running as user user.name may be infected. The filer received status message Infection found, repair failed and error code [0x5] from vscan (anti-virus) server x.x.x.x

TSE-JDavis's picture

That is from the NetApp logs. You need to log into the Scan Engine and run a Detailed Report for the time period and post the error listed for the file.

David Heinz's picture

Sorry about that. 

Mon Mar 12 14:06:36 MDT 2012, A security risk has been found Event Severity Level : Warning Scan Rule : Repair Security Risks File name : \\?\UNC\X.X.X.X\ONTAP_ADMIN$\vol\XXX\RADMIN22.EXE File status : NOT REPAIRED Component name : RADMIN22.EXE Security Risk Name : Remacc.Radmin Security Risk ID : 4294906186 Security Risk Definitions : 20120312.003 Client SID : S-1-5-21-1088106710-2582851208-3103400131-1510 Client Computer : NAME Client IP : X.X.X.X Scan Duration (sec) : 0.047 Connect Duration (sec) : 0.047 Scan Engine IP address : X.X.X.X Scan Engine Port number : 0 Uptime (in seconds) : 440606  

BenDC's picture

You may be able to stop this detection by adjusting the policy of the Scan Engine. In Policies -> Scanning -> Security Risk Scanning. I suspect it will fall under spyware or Other risks.

Security Risk Scanning threats are not classified as viruses so any actuall viruses would still be caught.

David Heinz's picture

I don't have a "Security Risk Scanning" option.  We are using the RPC protocol, according to the documentation it should be available....

Attached is a screen shot for your reference.

Policies-Scanning Screen shot.jpg
BenDC's picture

You need to expand the view pane. You can click the arrow or drag it like you are resizing.

expand.PNG
David Heinz's picture

Sorry about the delay...

When I expand the screen, it just expands (screen shot attached).

I think what I'm getting from all of this is that ScanEngine is not able to exclude a specific file name.  This is something I will have to work out with our storage group and just deal with the warnings.

Thank you for your time!

-David

Policies-Scanning Expanded Screen shot.jpg
TSE-JDavis's picture

You will need to upgrade to Scan Engine 5.2.11 to get this option.

David Heinz's picture

Thanks for the responses...

We are currently at 5.2.5.43.

I think the options at this point are to deal with the warnings or work with our storage team about not delivering specific file names.

I'm pretty sure we will just deal with the warnings.

Thanks for all your input!

-David

David Heinz's picture

I am bringing down 5.2.11 now and will modify to see if I'm able to eliminate the messages.

Thanks again!

BenDC's picture

Unfortuantly there is not a way to exculde specific files from being scanned with the scan engine. The Scan Engine is actually a very simple product that just waits for a scan request and scans the files requested or passed to it for scanning and returns a result to the client. Due to this exclusions are typically best handled by the client.

David Heinz's picture

Thanks for the quick reply as well!

That is kinda' what I was thinking as I didn't see an option to identify files.  I just wanted to make sure that there wasn't a config file that I missed to program it in.