Trust me, one of these days you will need to exclude a process from being scanned by FCS. Or maybe you already crossed that bridge.
You added a process exclusion using the GUI, it worked like a charm. As you need to have this exclusion set on all your systems, you opened the FCS console and edited the policy… At that time, you probably discovered that process exclusion cannot be set with the FCS policy.
I can hear you asking why not:
FCS is supported on multiple platforms (http://technet.microsoft.com/en-us/library/bb404245.aspx). One of them is Windows 2000 SP4 with Update Rollup 1, and process exclusions are not supported on this platform, because the only way to retrieve the process name is by using PEB (Process Environment Block), which resides in User mode. User mode processes can easily be manipulated (what we don’t want).
If you do set process exclusion on a computer running Windows 2000 with FCS installed, you will notice that the FCSAM service doesn’t want to start, which is something we definitely don’t want to happen.
No need to say what the impact would be if you would deploy a policy with process exclusion on systems running Windows 2000… To prevent this bad scenario, process exclusions cannot be set via an FCS policy.
However, you can deploy (at your own risk) process exclusions via a Group Policy Object (GPO).
A couple of notes for this particular entry:
Below you can find an example of the content of such an ADM file – to save the ADM file, start Notepad, and then copy and paste the following text into the Notepad file:
CLASS MACHINECATEGORY !!FCSCategory POLICY !!Exclusion_Name KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes" EXPLAIN !!Exclusion_Explain Part "ProcessName1" DROPDOWNLIST REQUIRED VALUENAME "<path to program>\program1.exe" ITEMLIST NAME Processname1 VALUE NUMERIC 0 DEFAULT END ITEMLIST END PART Part "ProcessName2" DROPDOWNLIST REQUIRED VALUENAME "<path to program>\program1.exe" ITEMLIST NAME Processname2 VALUE NUMERIC 0 DEFAULT END ITEMLIST END PART Part "ProcessName3" DROPDOWNLIST REQUIRED VALUENAME "<path to program>\program1.exe" ITEMLIST NAME ProcessName3 VALUE NUMERIC 0 DEFAULT END ITEMLIST END PART END POLICYEND CATEGORY
FCSCategory="Microsoft Forefront Client Security"Exclusion_Name="FCS Process Exclusion"Exclusion_Description="Setting a process to be excluded from FCS scans."Exclusion_Explain="Allows setting process exclusions for FCS so that it does not scan files touched by certain processes Not supported for Windows 2000"Ignore_Default="Default"
Save the file as an ADM file, making sure to choose All files *.* as the file type, and then use Group Policy to deploy the new setting, as described in Option 1, step 2, in the KB article.
Kurt Sarens SR. Security Support Engineer
Sorry, but I don't see anything in italics. So sholud I change the thing after the VALUENAME in "", and not the name "processname1" ?
Am I right?
You are correct - there was a formatting blip during the posting process. I've edited the ADM to show where the replaceables are.
I have crafted an ADM using this template and my processes and applied it to the OU that contains my servers.
GPMC shows the values are defined and set. However when I look in the registry there is no "Process" node under the policy and and no excluded processes show in in the FF client. So I don't see any evidence that these exclusions are being applied. Am I missing something?
The GPO you create to apply the process exclusions has to have a higher link state order precedence (lower #) than the auto-created GPO containing the Forefront Policy.
I had the FF policy first and my process exclusion policy second and wasn't getting the process exclusions. I even created those regkeys by hand, but as soon as a did a gpupdate /force it wiped them out.
The default FF policy must wipe out the "Processes" registry key, so you've got to make sure your policy wins.