This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
StevePearson
Participant
‎2022-12-13 12:58 PM

Anti-Malware Exclusions don't appear to work

I'm investigating issues with Anti-Malware exclusions not working. Endpoint is deployed from the Infinity portal, I've seen the issue on multiple tenants and multiple client builds including E86.50 .60 .70 and .80, and I've seen it with both the DHS compliant and non compliant versions.

It's a simple requirement, I have a folder that I want to exclude from Anti-Malware scanning, and my definition of "exclude" is don't touch it at all, so consider the following example:

C:\MyFiles contains 2 folders called Folder1 and Folder2. I copy 10 files into each folder, then right click on C:\MyFiles in explorer and select Scan with Checkpoint Anti-Malware. The Client window appears to show the scan, and reports 20 files scanned, as you'd expect.

Now I go to the portal and add an exclusion. I've tried this as a global exclusion and as an exclusion of a specific policy, the result is the same. I expand the Anti-Malware -> File & Folder Exclusions section and add a new exclusion for the path C:\MyFiles\Folder2 save the changes and deploy the policy. I check the client policy version, update the client and check the policy version again to ensure it's updated. Then I right click on C:\MyFiles in explorer and select Scan with Checkpoint Anti-Malware again. I would now expect the scan window to report 10 files scanned as the other 10 are in the excluded folder, but no it still reports 20 files scanned.

I've double checked my exclusion syntax against SK122706, and it is correct.

I don't believe i'm doing anything wrong, so is it's definition of exclude different to mine in some way, and if so how do I change this to completely exclude and not touch the folders/files that I need to?

This is a small example that's easy to reproduce and test, the real issue is much much bigger! It involves OneDrive and Dropbox folders that have thousands of files that absolutely don't need to be touched at all. (They are protected by Harmony Email and Colaboration!)

I can't be the only person that's encountered this, so i'm hoping someone and point me in the right direction please!

0 Kudos
12 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-12-13 02:19 PM

How the scan is being triggered is the primary factor here, these "folder" exclusions are being ignored when the scan is triggered in the manner described but are enforced otherwise e.g. scheduled/periodic & on-access scans etc. 

Currently this is how it works but I can see how for diagnostic reasons it might be helpful. Suggest discussing it further with your local SE as a possible enhancement if this is important for you.

 

CCSM R77/R80/ELITE
0 Kudos
StevePearson
Participant
‎2022-12-13 02:31 PM
In response to Chris_Atkinson

In my tests it's triggered manually, but in the live environment it's a scheduled scan.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-12-13 02:34 PM
In response to StevePearson

If you believe that it's not working for scheduled scans please consult TAC for how to debug it further.

CCSM R77/R80/ELITE
0 Kudos
StevePearson
Participant
‎2022-12-13 02:36 PM
In response to Chris_Atkinson

Would you class a scan pushed from the portal in the same way as the test scan I've been doing?

So basically ANY scan that is manually initiated will ignore exclusions but any other scan should follow them?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-12-13 02:40 PM
In response to StevePearson

TAC should be able to confirm, but from the SK for folder exclusions we have.

Settings affect:

On Windows client:

 

File On access monitor

Behavioral monitor (detects unusual activity)

Web monitor (Web protection)

Scheduled scan

System scan (scan system now)

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2022-12-13 02:52 PM

Can you send a screenshot of the exclusion you did? I have access to 2 customers portals who do this often and I can definitely verify the logic there and tell you if its right. Im way more fw than endpoint guy, but I know my way around it : - )

0 Kudos
StevePearson
Participant
‎2022-12-13 03:04 PM
In response to the_rock

I've attached a couple of examples.

Preview file
29 KB
0 Kudos
the_rock
Legend
Legend
‎2022-12-13 03:10 PM
In response to StevePearson

I believe your syntax is wrong. Have a look at examples they have in the portal:

Screenshot_1.png

 

Andy 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-12-13 03:58 PM
In response to the_rock

 

Per sk122706:

folder_exclude.png

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2022-12-13 04:05 PM
In response to Chris_Atkinson

Correct Chris, but I dont believe syntax from the screenshot is option in the sk or from the portal I attached.

0 Kudos
StevePearson
Participant
‎2022-12-14 02:41 AM
In response to the_rock

So you're saying that if I use an environment variable then I should drop the drive letter?

This doesn't explain the second example on my screenshot, and also what if the path exists on multiple drives but you only want to exclude on C drive? (a backup copy of the user profile on the E drive for example)

0 Kudos
the_rock
Legend
Legend
‎2022-12-14 02:43 AM
In response to StevePearson

Thats exactly what Im saying, but I could be mistaken. Though, my logic is purely based on screenshot from portal I sent you and also examples given from the sk. But, I do get your point about C drive if thats ONLY drive you wish to exclude. Sorry mate, you may want to confirm this with TAC.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events