File Quarantined after being excluded???

Scholar

File Quarantined after being excluded???

I am running policy manager 10.01 on a Windows Server 2003 SP2 machine.  I have a specific .exe file that keeps getting quarantined.  Under Settings for Root > Real-Time Protection > Scanning Opitons > File Scanning > Inclusions and Exclusions > Excluded Objects, i have listed C:\Folder\File.exe.  My understanding is if the .exe file is listed here it should not be scanned and thus be ok.  Everytime i reenable F-Secure on the server I see event logs errors stating that the suspected file has been quarantined due to Malicious Code.  I know this file is not infrected.  This is causing major headaches as my users can't run this program when F-Secure is turned on.

 

Any ideas how to stop this?  Am i doing something wrong?

3 REPLIES 3
F-Secure Product Expert

Re: File Quarantined after being excluded???

 

Hi RCBrown,

 

And welcome to the F-Secure Community!

 

As the exclusion can be configured both locally and in Policy Manager Console (PMC), you need to lock the relevant setting in Policy Manager Console to ensure the setting is properly applied on the workstations and/or servers.

 

Relevant settings in Policy Manager (Advanced Mode):

 

F-Secure anti-virus
  Settings
    Settings for real-time protection
      Scanning options
        File scanning
          Inclusions and exclusions
            Excluded objects enabled -> change to Enabled
            Excluded objects -> the excluded files and folders go here,e.g. c:\folder\file.exe

 

For the first setting, click the “Lock” symbol and for the second table, select the option "Dissallow user changes" to ensure a locally configured setting is indeed overwritten.

 

Please also submit a sample of the problematic file to allow us to address the false positive detection. You can submit a sample here.

 

Hope this helps!

Best Regards,
Peter
Highlighted
Scholar

Re: File Quarantined after being excluded???

Peter,

 

Thank you for your assistance.  The lock is "locked" for 'Enabled' on Excluded Objects Enabled.  Also on the Excluded Objects the 'disallow user changes' is checked off.  I have submitted the file 'false positive' test.

 

Thanks,

Ray

F-Secure Product Expert

Re: File Quarantined after being excluded???

 

Hi Ray,

 

In case the value was not configured at the host level in Policy manager, you also need to click the "Force value" and "Force table" settings to ensure, the setting is propagated properly. Otherwise, settings configured at a lower level in the policy domain structure are not replaced with the new setting. Alternatively, configure the setting at host level.

 

If this is not the issue, suggest creating a support ticket to investigate this issue further. Please provide the fsdiag.tar.gz file with your request. For additional information, check here  and here.

Best Regards,
Peter