https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/218322#M8825 <P>OKay, thanks a lot. I just will go on and update the client. Lets see what happens</P><P>&nbsp;</P><P>thank you very much so far</P> Fri, 21 Jun 2024 06:56:56 GMT SWBW_Florian 2024-06-21T06:56:56Z https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/217003#M8807 <P>Hi there,</P><P>today we observed issues with the Exclusions of the forensic recorder.</P><P>Were using a Backupsystem built by commvault. Harmony is very intense in working on those processes so they will fail and files got deleted during backups and general activity of the commvault software.</P><P>So i created Exclusions for our Backup-Server.</P><P>I excluded, at the end, the whole Software folder C:\Program Files\Commvault\ at:</P><P>&nbsp;</P><P>Forensics: Quarantine Exlusions</P><P>Forensics: Anti Ransomware</P><P>I also added at Forensics: Monitoring</P><P>C:\Program Files\Commvault\*.exe</P><P>But i can still see with the ressource monitor of windows that the service EFR is working in those folders</P><P>Is the rule not accepted/working? Or ignored? Or buggy?</P><P>&nbsp;</P><P>Because of the EFR Processes some of the jobs are falling into timeouts. This is a problem.</P><P>&nbsp;</P><P>Can you give me a hint on how to configure the EFR in a right manner?</P><P>Thanks in advance</P><P>kind regards</P><P>&nbsp;</P><P>Florian</P><P>&nbsp;</P> Mon, 10 Jun 2024 12:38:37 GMT https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/217003#M8807 SWBW_Florian 2024-06-10T12:38:37Z https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/217008#M8808 <P>This might be worth TAC case.</P> Mon, 10 Jun 2024 13:26:12 GMT https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/217008#M8808 the_rock 2024-06-10T13:26:12Z https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/217037#M8809 <P>Where precisely did you try to define the exclusion?<BR />I'd read this SK, which might shed some light on why this isn't working the way you expect:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk128472" target="_blank">https://support.checkpoint.com/results/sk/sk128472</A>&nbsp;</P> Mon, 10 Jun 2024 18:05:15 GMT https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/217037#M8809 PhoneBoy 2024-06-10T18:05:15Z https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/217038#M8810 <P>Hey,</P> <P>&nbsp;</P> <P>Which client version are you using?</P> Mon, 10 Jun 2024 18:11:08 GMT https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/217038#M8810 AdiGH 2024-06-10T18:11:08Z https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/217048#M8812 <P>First the disclaimer ......... In general it best to have a full investigation of the issue; rather than just referring to a specific fix that would require an upgrade and may not address the issue. Also, not clear what version of client is being used.</P> <P>However, since there was a recent fix released that seems very similar to this issue I will call it out and maybe relevant information for other people as well. It can be applicable to clients running E88.00 and later releases and there is a fix included in E88.31</P> <P>See <A href="https://support.checkpoint.com/results/sk/sk182277" target="_blank">sk182277</A> for more information on this release. Specifically includes the following fix that may be related to this issue:</P> <TABLE id="resolved2Table" class="footnote" border="1" width="100%" cellspacing="2" cellpadding="4"> <TBODY> <TR> <TD>AHTP-30676</TD> <TD>Some processes specified through the Monitoring and Exclusions action in the Policy are not fully excluded by the Forensics component from analysis as intended.&nbsp;</TD> </TR> </TBODY> </TABLE> Mon, 10 Jun 2024 19:38:09 GMT https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/217048#M8812 JonnyRabinowitz 2024-06-10T19:38:09Z https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/217116#M8814 <P>were using client version 87.60 so maybe that fix wont suit here?</P> Tue, 11 Jun 2024 12:43:28 GMT https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/217116#M8814 SWBW_Florian 2024-06-11T12:43:28Z https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/217138#M8815 <P>As far as I know is not applicable to the E87.6x version. Note that the next release after E87.6x was in fact E88.00</P> <P>At least have the information for future reference since seems to be a relevant use case for you</P> Tue, 11 Jun 2024 15:35:29 GMT https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/217138#M8815 JonnyRabinowitz 2024-06-11T15:35:29Z https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/218322#M8825 <P>OKay, thanks a lot. I just will go on and update the client. Lets see what happens</P><P>&nbsp;</P><P>thank you very much so far</P> Fri, 21 Jun 2024 06:56:56 GMT https://community.checkpoint.com/t5/Endpoint/EFR-forensic-recorder-is-working-on-excluded-Paths/m-p/218322#M8825 SWBW_Florian 2024-06-21T06:56:56Z