Using wildcards in exclusions in real-time scanning

This discussion has a more recent version.
Katriina_M Posts: 445 F-Secure Employee

This article provides information on how to exclude files from real-time scanning in F-Secure Anti-virus products using wildcard characters.

About syntax in wildcards

The syntax used in exclusions differs between F-Secure products depending on whether the product is an older or newer version.
  • Older product versions: Server Security 12.x, Email and Server Security 12.x, and Client Security 12.x, and their premium versions.
  • Newer product versions: Client Security 13.x, Client Security 14.x, and their premium versions.

What to remember:

  • In older product versions, use double backslashes: "\\" (used as an escape character). All slashes in the path need to be typed out twice in this way. The path is not case-sensitive.
    Note: The older format with double backslashes works in both older and newer product versions. The newer format with single backslashes only works in newer product versions, however.
  • In older product versions, use device names, as follows:
    • *\\HarddiskVolume1\\*\\

    In older product versions, real-time scanning does not see drive letters. Exclusions with drive letters are still supported in older product versions provided that wildcards are not used in the exclusion.

    Tip: To understand how the device name actually maps to a drive letter, you can use the fltmc utility. To do this, run fltmc volumes from the command line as an administrator.

  • In newer product versions, use drive letters, as follows:
    • C:\*\

    Note: If you use \Device\HarddiskVolume1 (newer product versions) and \\Device\\HarddiskVolume1 (older product versions), this conflicts with network exclusions where the server is "Device" and share is "HarddiskVolume1". Therefore, start the local exclusion with an asterisk (*).
  • If you use a single character wildcard ?, always start the exclusion with an asterisk; for example:
    • *\\eica?.com (older product versions)
    • *\eica?.com (newer product versions)

Scenarios for real-time scanning

In the following examples, we use wildcards to exclude all *.ini files from real-time scanning in the following folder structure:
  • C:\Documents and Settings\User1\MyApplication\
  • C:\Documents and Settings\User2\MyApplication\
  • C:\Documents and Settings\UserNN\MyApplication\

Using wildcards, these folder structures appear as follows:

In older product versions
  • Option A: *\\HarddiskVolume1\\documents and settings\\*\\MyApplication\\*.ini
  • Option B:*\\documents and settings\\*\\MyApplication\\*.ini

The two options, A and B, highlight that exclusions can also be configured using the device name when the volume name is included (HarddiskVolume1). The volume name can differ between machines, so option B is preferred.

In newer product versions
  • C:\documents and settings\*\MyApplication\*.ini

Excluding a folder

Exclude an entire folder using wildcards as follows:
  • *\\MyFolder\\* (older product versions)
  • *\MyFolder\* (newer product versions)

Note: Everything inside the specified folder is excluded, including its subfolders.

Excluding objects

Exclude objects using wildcards that contain the string eicar in its name as follows:
  • *eicar*
You can also use ? as a wildcard for a single character as follows:
  • *eic??.com

This works with both older and newer product versions.