This article discusses adding exclusions to the LANDesk Antivirus scanning.
What is an Antivirus scanning exclusion?
An Antivirus scanning exclusion is an instruction created by the user or administrator telling the real-time scanner and/or the manual scanner not to scan certain folders, file types and/or files. Often the word "Exception" and "Exclusion" are both used when describing this.
Why do I need an Antivirus scanning exclusion?
The exclusions list for Real-time scanning and for the Manual scans need not be identical. Take time to analyze your environment and consider which files, folders, drives, and extensions you want scanned in each instance.
A balance between a secure environment and the reliability and performance of the computers must be kept in mind. A lack of exclusions in virus scanning can be key factor in outages to applications and services. Any antivirus product will enhance security, however there is often a tradeoff in performance.
There are various reasons to instruct your scanner to skip over certain directories, files, or file types.
There are typically specific types of files that are the target for those that create malware.
For a full list of what LANDesk Antivirus considers "infectable file types" see this article: http://community.landesk.com/support/docs/DOC-6651
A good practice is to set the real-time scanner to scan "Infectable files only" and to set the Full scans to scan "All files types".
However, when scanning, there are times you may want to create exclusions.
Examples:
A developer's workstation that is used for compiling code.
There are various file types that would be good to exclude on a developer's workstation. With Antivirus software scanning the source, it can dramatically increase compile times.
Examples of file types to exclude are .ilk, .pdb, .cc, .h
Also add an exclusion for scanning the directory where your sources reside.
Various server types
Various exclusions may be necessary for various server types. Exchange servers, SQL servers, domain controllers, etc. can have performance adversely affected by unnecessarily scanning particular files
The following article has information for exclusions for particular types of servers:
http://community.landesk.com/support/docs/DOC-6428
How do I create an Antivirus scanning exclusion?
Antivirus scanning exclusions are created in 3 areas.
- The "Realtime Protection" tab in the Antivirus settings on the core server. (Added by the Administrator)
- The "Virus Scan tab" in the Antivirus settings on the core server. (Added by the Administrator)
- In the Trusted Items list on the client. (Added by the end user if they have been given appropriate rights)
Adding Antivirus exclusions in the "Real-time Protection" and "Virus Scan tabs" within the Antivirus settings on the core server:
1. Open the Security and Patch Manager Tool in the LDMS console
2. Click the dropdown on the icon labeled "Configure Settings" (Third icon from the left) and select "LANDesk Antivirus Settings"
3. Click either the "Real-time protection" tab or the "Virus Scan" tab.
4. You will be presented with the option to add exceptions for Files, Folders, and file Extensions.
a. For file names a file path or environment variable must be included. Available variables are:
%PROGRAMFILES%, %SYSTEMDRIVE%, %TEMP%, and %WINDIR%.
b. For folders, the environment variables are available for use as well. When adding a folder exclusion, subdirectories to that folder are included.
c. For file extensions exclusions can be entered in the following formats: (EXT - Searches all paths, Drive:\Directory\Subdirectory\*.exe, Variable\Directory\*.exe)
Note: For file extensions, if you get the error "Folder and File paths must begin with a drive letter or environment variable", this means that you have not selected the "Extensions" radio button prior to entering the extension.
When entering in exclusions, it is a recommended to review the list of exclusions to ensure accuracy. Make sure that path, file names, and exclusion type is correct.
Note: Exclusions must be entered seperately for the Real-time scanner and Manual scans. Real-time refers to the scanner that is actively watching the system and scans each file as it is executed or accessed. Manual scan refers to any other scan. This means Scheduled scans, right-clicking a file, folder, or drive and selecting "Scan for viruses", scans run from the local scheduler, etc. However, directly scanning an excluded folder or file by right-clicking that folder or file and selecting "Scan for Viruses" will ignore the exclusions list. This is by design.
Also, note that changes to the Exclusion list do not take place immediately. The LANDesk Antivirus service must be restarted for the exclusions to take place, as the exclusions list is read during the service initialization.
Adding to the Trusted Items List (Giving the user rights to trust items)
1. Open the Security and Patch Manager Tool in the LDMS console
2. Click the dropdown on the icon labeled "Configure Settings" (Third icon from the left) and select "LANDesk Antivirus Settings"
3. On the "General" tab, check the box marked "Allow user to add files and folders to Trusted Items list"
This enables an option on the client side to allow the user to add files or folders to a Trusted Items list. This will cause both the real-time scanner and any manual scans to skip scanning the files or folders that have been added.
1.
2.
3.
Configuring Antivirus exceptions for a LANDesk Core Server with an Antivirus client installed:
http://community.landesk.com/support/docs/DOC-6920
Logging for Antivirus Exclusions
The following are snippets from the various logs that show Antivirus exclusions information:
The AVService.log only shows the exclusions added to the Real-time section. As such, they only apply to the real-time scanner.
| AVService.log |
|---|
| Thu, 20 Aug 2009 16:08:43 exclusion filter is: "C:\Documents and Settings\All Users\Application Data\LANDeskAV\avservice.log";"<C:\Program Files\LANDesk\LDClient\antivirus\*.log";"<C:\Documents and Settings\All Users\Application Data\LANDeskAV\Server\*";"<C:\Documents and Settings\All Users\Application Data\LANDeskAV\Client\*";<*.pst;"<C:\SKIPME.EXE";"<C:\SKIPMEFOLDER\";<C:\WINDOWS\CSC\ |
The AVService.log only shows the exclusions added to the Real-time section. As such, they only apply to the real-time scanner.
The bolded text (bolded for this example, the actual log does not have bolded text) are the default exclusions that will exist regardless of what is configured by the administrator or user.
| AVService_Channel.log |
|---|
| Thu, 20 Aug 2009 16:28:18 Skip scanning the folder: C:\SKIPMEFOLDER, it's excluded from manual scan |
| The entries in this log apply to exclusions added through the Antivirus settings on the core, or entries added through the Trusted Items list on the client. |
Antivirus Verbose Logs
| KAVE_XXXX (Where XXXX is the PID (Process ID) of the particular AVSERVICE.exe |
|---|
[2009.08.21 00:18:44.812][4052] kaveMonitor_SetSettingsString(1,'"C:\Documents and Settings\All Users\Application Data\LANDeskAV\avservice.log";"<C:\Program Files\LANDesk\LDClient\antivirus\*.log";"<C:\Documents and Settings\All Users\Application Data\LANDeskAV\Server\*";"<C:\Documents and Settings\All Users\Application Data\LANDeskAV\Client\*";<*.pst;"<C:\TEST\EICAR.COM";"<C:\SKIPME.EXE";"<C:\SKIPMEFOLDER\"') [2009.08.21 00:18:44.812][4052] CMonitor::SetSettingsString('"C:\Documents and Settings\All Users\Application Data\LANDeskAV\avservice.log";"<C:\Program Files\LANDesk\LDClient\antivirus\*.log";"<C:\Documents and Settings\All Users\Application Data\LANDeskAV\Server\*";"<C:\Documents and Settings\All Users\Application Data\LANDeskAV\Client\*";<*.pst;"<C:\TEST\EICAR.COM";"<C:\SKIPME.EXE";"<C:\SKIPMEFOLDER\"') started [2009.08.21 00:18:44.812][4052] CMonitor::SetSettingsString(FILE_MONITOR). Send comand MON_SET_EXCLUDE_MASK(694) |
| (Kave_SPXXXX.log) (XXXX stands for the PID (Process ID) of the particular ScanningProcess.exe) |
|---|
[2009.08.21 00:18:44.812][3720] ReadExcludeMask. Excludes string '"C:\Documents and Settings\All Users\Application Data\LANDeskAV\avservice.log";"<C:\Program Files\LANDesk\LDClient\antivirus\*.log";"<C:\Documents and Settings\All Users\Application Data\LANDeskAV\Server\*";"<C:\Documents and Settings\All Users\Application Data\LANDeskAV\Client\*";<*.pst;"<C:\TEST\EICAR.COM";"<C:\SKIPME.EXE";"<C:\SKIPMEFOLDER\"' [2009.08.21 00:18:44.812][3720] [2009.08.21 00:18:44.812][3720] All excludes cleared [2009.08.21 00:18:44.812][3720] Added exclude: 'C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\LANDESKAV\AVSERVICE.LOG' [2009.08.21 00:18:44.812][3720] Added strong exclude: 'C:\PROGRAM FILES\LANDESK\LDCLIENT\ANTIVIRUS\*.LOG' [2009.08.21 00:18:44.812][3720] Added strong exclude: 'C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\LANDESKAV\SERVER\*' [2009.08.21 00:18:44.812][3720] Added strong exclude: 'C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\LANDESKAV\CLIENT\*' [2009.08.21 00:18:44.812][3720] Added strong exclude: '*.PST' [2009.08.21 00:18:44.812][3720] Added strong exclude: 'C:\SKIPME.EXE' [2009.08.21 00:18:44.812][3720] Added strong exclude: 'C:\SKIPMEFOLDER\' [2009.08.21 00:18:44.905][3720] Added exclude: 'C:\PROGRAM FILES\LANDESK\LDCLIENT\ANTIVIRUS\KAVESP_*.LOG' [2009.08.21 00:18:44.905][3720] Added exclude: 'C:\PROGRAM FILES\LANDESK\LDCLIENT\ANTIVIRUS\KAVE_*.LOG' [2009.08.21 00:18:44.905][3720] RegisterExcludes Done |
| AVBehavior_(X).xml (Located in \Documents and Settings\All Users\Application Data\LANDeskAV or ProgramData\LANDeskAV) |
|---|
| <Name>ExcludedFilesAndDirs_Manual</Name> <Val /> </p> <p> <Name>ExcludedFilesAndDirs_RealTime</Name> <Val>.VSP|C:\Test\|%WINDIR%\TEST.EXE</Val> |
For detailed information about LANDesk Antivirus logging see http://community.landesk.com/support/docs/DOC-6537