To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

File Quarantined after being excluded???

RCBrown_DKH
RCBrown_DKH Posts: 2 Security Scout
in Business Suite

I am running policy manager 10.01 on a Windows Server 2003 SP2 machine.  I have a specific .exe file that keeps getting quarantined.  Under Settings for Root > Real-Time Protection > Scanning Opitons > File Scanning > Inclusions and Exclusions > Excluded Objects, i have listed C:\Folder\File.exe.  My understanding is if the .exe file is listed here it should not be scanned and thus be ok.  Everytime i reenable F-Secure on the server I see event logs errors stating that the suspected file has been quarantined due to Malicious Code.  I know this file is not infrected.  This is causing major headaches as my users can't run this program when F-Secure is turned on.

 

Any ideas how to stop this?  Am i doing something wrong?

Comments

  • Peter
    Peter Posts: 127 Threat Terminator

     

    Hi RCBrown,

     

    And welcome to the F-Secure Community!

     

    As the exclusion can be configured both locally and in Policy Manager Console (PMC), you need to lock the relevant setting in Policy Manager Console to ensure the setting is properly applied on the workstations and/or servers.

     

    Relevant settings in Policy Manager (Advanced Mode):

     

    F-Secure anti-virus
  Settings
    Settings for real-time protection
      Scanning options
        File scanning
          Inclusions and exclusions
            Excluded objects enabled -> change to Enabled
            Excluded objects -> the excluded files and folders go here,e.g. c:\folder\file.exe

     

    For the first setting, click the “Lock” symbol and for the second table, select the option "Dissallow user changes" to ensure a locally configured setting is indeed overwritten.

     

    Please also submit a sample of the problematic file to allow us to address the false positive detection. You can submit a sample here.

     

    Hope this helps!

  • RCBrown_DKH
    RCBrown_DKH Posts: 2 Security Scout

    Peter,

     

    Thank you for your assistance.  The lock is "locked" for 'Enabled' on Excluded Objects Enabled.  Also on the Excluded Objects the 'disallow user changes' is checked off.  I have submitted the file 'false positive' test.

     

    Thanks,

    Ray

  • Peter
    Peter Posts: 127 Threat Terminator

     

    Hi Ray,

     

    In case the value was not configured at the host level in Policy manager, you also need to click the "Force value" and "Force table" settings to ensure, the setting is propagated properly. Otherwise, settings configured at a lower level in the policy domain structure are not replaced with the new setting. Alternatively, configure the setting at host level.

     

    If this is not the issue, suggest creating a support ticket to investigate this issue further. Please provide the fsdiag.tar.gz file with your request. For additional information, check here  and here.

This discussion has been closed.

Categories