Exclude objects on mounted volume

chrullrichchrullrich Posts: 2 New Member

Hello,

 

I just struggled for quite a while to exclude a directory from real-time and manual scan, and finally figured out how to do it. There does not appear to be any recent questions on this issue, so I thought I should fix that.

 

I. Issue

 

There is one file that SAFE kept deleting as soon as it was created, citing some generic detection. Because it is an executable that is locally created from an open-source project, there is little point in submitting it as a sample; I would have to do that twice a day, probably. That left excluding it, and the surrounding directory.

 

At first, I added that directory to the list of excluded objects, which did not work. Then I tried to exclude only the affected file, also without success. I tried turning real-time scan off entirely, and that worked, but is clearly not desirable.

 

II. Analysis

 

The directory where the file is created is on a mounted volume. As that feature has only been around for 17 years (it was introduced in Windows 2000), there is little Windows software yet that can deal with this situation properly, F-Secure SAFE being no exception.

 

III. Solution

 

To exclude a path on a mounted volume, the exclusion rule must use the "physical" path, a.k.a the "device path", not the normal one through the mount point. Unfortunately, it is quite difficult to determine the physical path, because Windows does not provide any tools to do it.

 

There are two ways to get the device path for a mounted volume. Both involve tools from the ever-awesome Sysinternals collection.

 

  1. Process Monitor (http://live.sysinternals.com/procmon.exe)
    • Start procmon and set a filter like "[Path] [contains] [your file name]"
    • Access the file.
    • There will be two lines (just kidding, dozens) in the procmon log. The first one will have the "normal" path in it, and the result will be "REPARSE". The second line has the device path, usually starting with "\Device\HarddiskVolumeX", with some number for X.
  2. WinObj (http://live.sysinternals.com/winobj.exe)
    • Open an elevated command prompt.
    • Run this command, substituting your mount point for <mountpoint>:
      fsutil reparse query <mountpoint>
    • The output will have a line starting with "Substitute Name", with a path on the right that looks like
      "\??\Volume{12341234-...".
    • Now start WinObj and go to the \GLOBAL??\ folder.
    • Find the path from fsutil, without the "\??\", in the list. The "SymLink" column shows the device path for the mounted volume's root directory.
    • In the path you want to exclude, now replace the mount point with that device path. If you want to exclude, say, C:\Data\Projects\foo\, and C:\Data is your mount point, you will end up with something like \Device\HarddiskVolume5\Projects\foo\.

Now enter that path into F-Secure's exclusion lists. Done!

Simon
This discussion has been closed.