Exclusions of files and processes from Realtime Protection
Hi
With our current antivirus solution we have the ability to exclude folders and processes from Real Time protection as some application vendors may require this for there application to work correctly.
From what I can see under the advanced tab within a policy, is that you have the ability to exclude folders and extensions from malware scans. Are these exclusions referring to both Realtime Scans and scheduled scans? or scheduled scans only.
If the answer is yes to both, is it possible to exclude processes aswell?
Cheers
All Replies
Hello!
Thanks for the question!
On the Advanced tab, you can exclude Files and paths as well as extensions. Processes can only be excluded on the client directly (we don't provide the option to exclude processes in a policy)
This applies to both real-time and scheduled scans
Hope this helps
Thanks
Chris
Forefront Client Security PM
Chris Sfanos - MSFT wrote: Hello!
Thanks for the question!
On the Advanced tab, you can exclude Files and paths as well as extensions. Processes can only be excluded on the client directly (we don't provide the option to exclude processes in a policy)
This applies to both real-time and scheduled scans
Hope this helps
Thanks
Chris
Forefront Client Security PM
Chris,
This does not help. Currently about 3/4 of my users can no longer use Outlook 2003 because of Forefront (msMpEng.exe to be exact using 100% CPU time) when they click on a message. It takes for 12-30+ seconds for it to check a simple small text message. You are telling me I need to configure up to 10,000 clients to individually ignore Outlook, and you don't even say how to do that here -- I see in the client where to see what is running, but not how to turn off the agressive and obviously conflicting malware search.
Please provide more data -- speifically as to this conflict with Outlook
Hi Daniel
I saw your other post and added a reply
As for how to handle exclusions, you definitely don't need to do this on each client. From the FCS console, open up the policy that you have deployed to all the clients (or multiple policies if you've got more than one). On the Advanced tab, you will see an option to exclude both extensions and file/paths. You can try the following and see if it temporarily address the problem: Create a file/path exclusion for the Outlook.exe and see if helps with the problem. You would need to specific the full path for the exclusion, so it's probably %programfiles%\microsoft office\office 11\outlook.exe
Thanks
Chris
Forefront Client Security PM
Trying this -- Will let you know
Still can not use the Alert Me Function of this website (Gives file not found error)
Trying this -- Will let you know
Still can not use the Alert Me Function of this website (Gives file not found error)
Chris,
I placed the exception, Redepoloyed -- have everyone reboot and manually run a full scan -- no dice msMPEng.exe still goes to 100% when flipping through email and I verrified the path placed in the exception is correct.
Dan
On my equipment happend the same, but the reason for my case was a PST file were my virus emails alerts are sending by a rule of Outlook.
Now, my question it's, how much risk i have if exclude the pst files?
Regards
Hi Daniel
Hmm - I would have expected better results with the exception in place. Please send a mail to FCSPing@microsoft.com. I will get back in contact with you and give you a location to send the results of the following info gathering:
On a client machine that is experiencing the hi cpu, please do the following from a command prompt:
-
Browse to %programfiles%\microsoft forefront\client security\client\antimalware
-
execute: mpcmdrun.exe -GetFiles
This will generate a .cab file with detailed information for our support team. Once I get your mail, I'll let you know where to mail it
Thanks
Chris
Forefront Client Security PM
-
- Hi Chris,
Regarding the hi CPU on a client running FCS we encounter an other problem. In the last few days severall of our client workstation suddenly have been jumping in a BSOD.
After reading your article it started to make sense why this was happening. During a test we noticed that clients with outlook and a PST file were the only one encountering this problem. For test purpose we removed the PST file from the client workstation and the BSOD behaviour stopped.
Im curios for the result of the above investigation regarding the Pst file problems. I hope to get more information on this issue, how I can solve this problem.
For now we have a workaround, that is not using a PST file on a local system neither on a Folder redirection configured environment.
Thanks in advanced.
Franklyn - Hello Franklyn, thank you for your post.
Our Microsoft support team is aware of a blue-screen that may occur when Forefront Client Security is used in conjunction with PSTs on a remote network share. It appears to be a timing isuse, but we have not pursued the matter to root cause since according to the following KB article this is not a supported configuration:
http://support.microsoft.com/kb/297019
http://blogs.technet.com/askperf/archive/2007/01/21/network-stored-pst-files-don-t-do-it.aspx
If you encounter the issue with a local PST file, or other supported config, our support team would appreciate you raising it to our attention via a support case so we can diagnose the problem.
Best Regards,
Craig Wiand
Microsoft Forefront Escalation Engineer
Forefront Client Security Support - Hi Mr Wiand,
we have the problem with the BSODs as well. We also have pst files on network shares and as this affects about 5000 users it is kind of a showstopper for us. We would have to remove some ~10000 pst files from network shares and this is not an easy-to-do scenario. Most of my customers do use pst files on network shares knowing that this is not supported by Microsoft. However, it has been one of the few options you had for a long time, dealing with a huge size of mail while beeing able to avoid data loss. I really don't understand why FCS has those pst problems and other AV software producers ship working products (especially as the problem seems to have started with the last product update) and has not always been present. I'm a real fan of FCS and enjoy its performance and great usability compared to other AV products.
What we did:
We analyzed the memory dumps and found this: http://social.technet.microsoft.com/Forums/en/Forefrontclientgeneral/thread/a7258095-dc0f-478e-b2a6-24fd1b712036
We have opened a call.
We have excluded pst (and ost - just to make sure) files to workaround the BSODs.
Two weeks delay in the project.
Call still open.
What we would like to have:
Please take this serious. I know so many customers in Germany alone using this scenario and if you would like to have a real chance to push FCS on the market in the future, you have to ship a working product. If we would have had the BSOD problems while evaluating FCS and Norton AV, it would have been impossible for me to convince the critics and start the project.
Best Regards,
Fabian Slupek
