Announcement: New Knowledge Base

4 June 2020: We are pleased to announce the launch of a new Knowledge Base, Changelogs for Business Security Products, where you can find more details, such as bugfixes or new features, about the most recent releases of our business-related products.

File Quarantined after being excluded???

I am running policy manager 10.01 on a Windows Server 2003 SP2 machine.  I have a specific .exe file that keeps getting quarantined.  Under Settings for Root > Real-Time Protection > Scanning Opitons > File Scanning > Inclusions and Exclusions > Excluded Objects, i have listed C:\Folder\File.exe.  My understanding is if the .exe file is listed here it should not be scanned and thus be ok.  Everytime i reenable F-Secure on the server I see event logs errors stating that the suspected file has been quarantined due to Malicious Code.  I know this file is not infrected.  This is causing major headaches as my users can't run this program when F-Secure is turned on.

 

Any ideas how to stop this?  Am i doing something wrong?

Comments

  • PeterPeter Posts: 186

     

    Hi RCBrown,

     

    And welcome to the F-Secure Community!

     

    As the exclusion can be configured both locally and in Policy Manager Console (PMC), you need to lock the relevant setting in Policy Manager Console to ensure the setting is properly applied on the workstations and/or servers.

     

    Relevant settings in Policy Manager (Advanced Mode):

     

    F-Secure anti-virus
      Settings
        Settings for real-time protection
          Scanning options
            File scanning
              Inclusions and exclusions
                Excluded objects enabled -> change to Enabled
                Excluded objects -> the excluded files and folders go here,e.g. c:\folder\file.exe

     

    For the first setting, click the “Lock” symbol and for the second table, select the option "Dissallow user changes" to ensure a locally configured setting is indeed overwritten.

     

    Please also submit a sample of the problematic file to allow us to address the false positive detection. You can submit a sample here.

     

    Hope this helps!

  • Peter,

     

    Thank you for your assistance.  The lock is "locked" for 'Enabled' on Excluded Objects Enabled.  Also on the Excluded Objects the 'disallow user changes' is checked off.  I have submitted the file 'false positive' test.

     

    Thanks,

    Ray

  • PeterPeter Posts: 186

     

    Hi Ray,

     

    In case the value was not configured at the host level in Policy manager, you also need to click the "Force value" and "Force table" settings to ensure, the setting is propagated properly. Otherwise, settings configured at a lower level in the policy domain structure are not replaced with the new setting. Alternatively, configure the setting at host level.

     

    If this is not the issue, suggest creating a support ticket to investigate this issue further. Please provide the fsdiag.tar.gz file with your request. For additional information, check here  and here.

This discussion has been closed.