F-Secure 9.32 - Process/file exclusion seems not to work correctly

We are using Windows 7 64Bit clients with F-Secure Antivirus for Workstations 9.32.

Our developers use Tortoise SVN to checkout their code. During a full checkout, about 60'000 small files have to get transfered over the network.

Deep Guard is disabled, the checkout directory is ecluded and all SVN related processes are excluded from real-time scanner.

When our developers start a checkout the fsgk32.exe consums about 20% CPU time, so it seems to scan something. And network speed drops immediatly to about 10-15kbps. As soon as I kill the Antivirus process the network speed increases to the expected 200kbps.

The result is that a complete checkout with activated AV takes about 22min, while it takes only 2min with disabled AV.

Why is F-Secure scanning the files even if the checkout directory AND SVN EXEs are excluded from real time scanning? Network drives are also excluded from realtime protection.

Find more posts tagged with

Comments

GSCF

I can now confirm that this did fix the issue indeed.

Thanks for your help. Much better help here than via phone

GSCF

Yes! It really looks like removing the quotes did fix it.

Thanks one million times. I still need to do some more tests to confirm that it really works as expected but the first results look promising.

And you should really update the Example in the description for process exclusion in PM. Because it is using quotes in there. Which makes sense for directories with spaces.

Vad

I hope that exclusions without quotes will solve your problem.

Best regards,

Vad

GSCF

I did use quotes indeed... because that's what it gives you as an example in the description in PM

I will try to exclude without using quotes then.

Did call the support by phone but the guy was not willing to give me any information or explain me how to enable debug logging or anything else because the support case is already escalated?? what kind of answer to my call is that?

Vad

GSCF, can I ask you to share here the content of your "excluded processes" field in PMC?

For my test env with CS 9.32 the following content works pretty fine:

c:\windows\notepad.exe
c:\windows\system32\notepad.exe
c:\windows\syswow64\notepad.exe
c:\Program Files (x86)\totalcmd\totalcmd.exe

Note, that you shouldn't use quotes:

"c:\Program Files (x86)\totalcmd\totalcmd.exe"

will not work.

Regards,

Vad

GSCF

It still blocks the file. So the process exclusion seems not to work.

I will call the support to ask how I can create debug logs.

MJ-perComp

It's Windows Explorer that is accessing the file first.

Trythis: Open a Commandline and enter "notepad.exe eicar.com"

GSCF

Well, I opened the support ticket on Monday and didn't get any response except of the automatic email until now.

The thing with notepad didn't work. As soon as I either right click the file to chose "Open with..." or use File -> Open in Notepad to select the file, AV scanner blocks access and cleans the eicar.com

Vad

We need Real-Time scanning debug/trace logs to investigate your issue. Please, contact support for detailed instructions how to collect them. As soon as you provide them back to support, please, drop a note here.

Best regards,

Vad

MJ-perComp

OK, back to start, yes the GUI AND PMC allow to exclude processes

to check if it works or not:

1) download EICAR.COM from EICAR.ORG (you will need to disable AV first)

2) add notepad.exe to excluded processes

3) doubleclick EICAR.COM from Windows Explorer to confirm AV is working

4) open eicar.com using notepad.exe

do you see the content of the file or do you get "access denied"?

GSCF

Another question: If excluding a process happens only via registry. What is the need for the point "Exclude Processes" = "Enabled" and the "Excluded Processes" list in the Real-Time Protection Policy then?

I have added all SVN related processes (EXEs) with the full path in there but it didn't exclude the process obviously.

GSCF

1) How can I disable the monitoring of that process in the registry? Is that described in a guide somewhere?

2) Disabling Deepguard was just an idea to test if it helps. It's enabled again.

3) I did make sure that "Scan Network Drives" is "disabled" in the Policy for these clients. The value is locked.

I did open a support case. This is the SR ID:1-522528375

MJ-perComp

Hi,

your post leaves a lot of questions that would need detailed investigation.

1) excluding the EXE does not solve you problem, you need to exclude the monitoring of that process so that the files it transfers are not scanned. This is done through registry.

2) Disabling Deepguard does not sond like a good idea to me

3) disabling network scan... did you do it correct? The value must be "Scan Network Drives"= "disabled" (which is the default) to force it please also set the lock (final).

Finally please open a support call and mention this thread, then post the SR-ID here.

Thanks.