File Quarantined after being excluded???

I am running policy manager 10.01 on a Windows Server 2003 SP2 machine. I have a specific .exe file that keeps getting quarantined. Under Settings for Root > Real-Time Protection > Scanning Opitons > File Scanning > Inclusions and Exclusions > Excluded Objects, i have listed C:\Folder\File.exe. My understanding is if the .exe file is listed here it should not be scanned and thus be ok. Everytime i reenable F-Secure on the server I see event logs errors stating that the suspected file has been quarantined due to Malicious Code. I know this file is not infrected. This is causing major headaches as my users can't run this program when F-Secure is turned on.

Any ideas how to stop this? Am i doing something wrong?

Find more posts tagged with

Comments

Peter

Hi Ray,

In case the value was not configured at the host level in Policy manager, you also need to click the "Force value" and "Force table" settings to ensure, the setting is propagated properly. Otherwise, settings configured at a lower level in the policy domain structure are not replaced with the new setting. Alternatively, configure the setting at host level.

If this is not the issue, suggest creating a support ticket to investigate this issue further. Please provide the fsdiag.tar.gz file with your request. For additional information, check here and here.

RCBrown_DKH

Peter,

Thank you for your assistance. The lock is "locked" for 'Enabled' on Excluded Objects Enabled. Also on the Excluded Objects the 'disallow user changes' is checked off. I have submitted the file 'false positive' test.

Thanks,

Ray

Peter

Hi RCBrown,

And welcome to the F-Secure Community!

As the exclusion can be configured both locally and in Policy Manager Console (PMC), you need to lock the relevant setting in Policy Manager Console to ensure the setting is properly applied on the workstations and/or servers.

Relevant settings in Policy Manager (Advanced Mode):

F-Secure anti-virus
  Settings
    Settings for real-time protection
      Scanning options
        File scanning
          Inclusions and exclusions
            Excluded objects enabled -> change to Enabled
            Excluded objects -> the excluded files and folders go here,e.g. c:\folder\file.exe

For the first setting, click the “Lock” symbol and for the second table, select the option "Dissallow user changes" to ensure a locally configured setting is indeed overwritten.

Please also submit a sample of the problematic file to allow us to address the false positive detection. You can submit a sample here.

Hope this helps!