Announcement: New Knowledge Base

4 June 2020: We are pleased to announce the launch of a new Knowledge Base, Changelogs for Business Security Products, where you can find more details, such as bugfixes or new features, about the most recent releases of our business-related products.

Exclusion of directories using wildcards

Hi,

 

I have read this document but unfortunately I still don´t understand how to do this..

Would like to exclude the below directories and drive letter but how to type this in PMC 9? Using CS 9 for server.

 

%windir%\Cluster

 

drive letter Q:

 

%Program Files%\Microsoft SQL Server\MSSQL\Data + Log + Backup

 

 

Could someone please explain this/show this to me in more detail?

If possible, I would like to exclude these regardless of their location, i.e both C: and D:


Thanks in advance!

 

Regards,
JC

Best Answer

  • PeterPeter Posts: 186
    Accepted Answer

    Hi J-C,

     

    This would be really easy if we had support for environment variables in exclusions, but this is unfortunately not yet available.

     

    %windir%\Cluster

     

    %windir% always points to the Windows directory and the default setting is (excluding NT 4 and Windows 2000) always C:\Windows. Proceeding with the assumption, foldername is always Windows, following exclusion would exclude all files existing in the <drive-letter>:\Windows\Cluster folders, on all local hard drives.

     

    *\\HarddiskVolume*\\Windows\\Cluster

     

    Use “fltmc volumes” to find out how drive letters map to device names (device name needs to be used here, since the exclusion uses wildcards).

     

    drive letter Q:

     

    Simply “Q:\” (without the quotes) should do the trick here.  Legacy drive letters can be used here, as we ‘re not using wildcards at the same time.

     

    %Program Files%\Microsoft SQL Server\MSSQL\Data + Log + Backup

     

    As the MSSQL folder contains other folders besides the ones listed above, no easy solution here: three separate exclusions for each of the folders (Data, Log, Backup) are needed but the exclusion below at least makes the exclusion independent of the location %Program Files% (drive):

     

    *\\HarddiskVolume*\\Program Files\\Microsoft SQL Server\\MSSQL\\Data

    *\\HarddiskVolume*\\Program Files\\Microsoft SQL Server\\MSSQL\\Log

    *\\HarddiskVolume*\\Program Files\\Microsoft SQL Server\\MSSQL\\Backup

     

    Note, all inclusions should be entered using either PMC or the local UI. Also, exclusions are not case-sensitive....

     

Answers

  • J-CJ-C Posts: 46

    Hi,

     

    Thank you very much, for helping me out!  Two more questions pls, just to confirm that I understand. :)

     

    I administrate F-secure on PC's that use different languages and I want to exclude one application from RTS.

    This could be located in 3 different places on any local drive.

     

    Let´s say the application, on a PC using English OS, is installed in C:\Program files\Folder.

     

    On a Swedish PC, "Program files" is called "Program". On a Norwegian one, it´s called "Programfiler".

     

    Question 1:

    To exclude this whole folder regardless of it´s location, I can use the below string?

     

    *\\HarddiskVolume*\\Program*\\Folder

     

    Question 2: 

    I have "inherited" the F-secure environment from another person. In the "Excluded objects table" under some domains I see the below string:

     

    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\Folder\     ( Using Folder as an example again)

     

    If I understand the document linked to in my first post, this works but if using wildcards one must replace device with asterisk and use backslash twice between every "name"?

    Instead of typing this way, one might as well use C:\Program files\Folder, same thing?

     

     

     

    Best regards,

    JC

  • PeterPeter Posts: 186

     

    Hi J-C,

     

    Apologies for the delay!

     

    Question 1:

    To exclude this whole folder regardless of it´s location, I can use the below string?

     *\\HarddiskVolume*\\Program*\\Folder


    Yes, this will work as "Program*" matches with \Program\, \Program files\ and lastly \Programfiler\.

    Question 2: 

    I have "inherited" the F-secure environment from another person. In the "Excluded objects table" under some domains I see the below string:

     

    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\Folder\     ( Using Folder as an example again)

     

    If I understand the document linked to in my first post, this works but if using wildcards one must replace device with asterisk and use backslash twice between every "name"?

     

    Instead of typing this way, one might as well use C:\Program files\Folder, same thing?

     

    Indeed, the exclusion highlighted above works but could also be replaced with "C:\Program files\Folder". 


    jackmaJ-C
  • J-CJ-C Posts: 46

    Hi Peter,

     

    No problem at all, I´m just glad that you could find the time to help me.

     

    Thank you very much!

     

    Regards,
    JC

  • Hi

    at my linux system i like to exclude the /var/spool and all subfolders from scanning.

    I've tryed the syntax:  /var/spool//*

    but a test with eicar show me that the folder was still sanned.

     

    Whats the right syntax here?

     

    Best regards

    Helga

  • etomcatetomcat Posts: 1,312

    Hello,

     

    Why is it not possible to use SHA-1 checksums for exclusions in real-time FSAV protection, instead of directory and file paths. Only the DeepGuard module accepts SHA-1 entries currently.

     

    Thanks in advance, Sincerely: Tamas Feher, Hungary.

This discussion has been closed.