Forefront Endpoint Protection Blog

All the latest news and information on Forefront Client Security, Forefront Endpoint Protection and System Center Endpoint Protection 2012

Setting a process exclusion in your network

Setting a process exclusion in your network

  • Comments 4
  • Likes

Trust me, one of these days you will need to exclude a process from being scanned by FCS. Or maybe you already crossed that bridge.

You added a process exclusion using the GUI, it worked like a charm. As you need to have this exclusion set on all your systems, you opened the FCS console and edited the policy… At that time, you probably discovered that process exclusion cannot be set with the FCS policy.

I can hear you asking why not:

FCS is supported on multiple platforms (http://technet.microsoft.com/en-us/library/bb404245.aspx). One of them is Windows 2000 SP4 with Update Rollup 1, and process exclusions are not supported on this platform, because the only way to retrieve the process name is by using PEB (Process Environment Block), which resides in User mode. User mode processes can easily be manipulated (what we don’t want).

If you do set process exclusion on a computer running Windows 2000 with FCS installed, you will notice that the FCSAM service doesn’t want to start, which is something we definitely don’t want to happen.

No need to say what the impact would be if you would deploy a policy with process exclusion on systems running Windows 2000… To prevent this bad scenario, process exclusions cannot be set via an FCS policy.

However, you can deploy (at your own risk) process exclusions via a Group Policy Object (GPO).

A couple of notes for this particular entry:

  • This setting uses the path to the process to be excluded as the name of the registry key. Note the placeholders in the text of the sample ADM file below in italics. In order to change the process to exclude, you must change the registry key (VALUENAME), and not the data.
  • Already running processes will not be excluded, and you need to restart the processes you want to exclude.

Below you can find an example of the content of such an ADM file – to save the ADM file, start Notepad, and then copy and paste the following text into the Notepad file:

CLASS MACHINE
CATEGORY !!FCSCategory
    POLICY !!Exclusion_Name
    KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes"
    EXPLAIN !!Exclusion_Explain
        Part "ProcessName1" DROPDOWNLIST REQUIRED
        VALUENAME "<path to program>\program1.exe"
        ITEMLIST
            NAME Processname1    VALUE NUMERIC 0 DEFAULT
        END ITEMLIST
        END PART
        Part "ProcessName2" DROPDOWNLIST REQUIRED
        VALUENAME "<path to program>\program1.exe"
        ITEMLIST
            NAME Processname2    VALUE NUMERIC 0 DEFAULT
        END ITEMLIST
        END PART
        Part "ProcessName3" DROPDOWNLIST REQUIRED
        VALUENAME "<path to program>\program1.exe"
        ITEMLIST
            NAME ProcessName3    VALUE NUMERIC 0 DEFAULT
        END ITEMLIST
        END PART
    END POLICY
END CATEGORY

[strings]

FCSCategory="Microsoft Forefront Client Security"
Exclusion_Name="FCS Process Exclusion"
Exclusion_Description="Setting a process to be excluded from FCS scans."
Exclusion_Explain="Allows setting process exclusions for FCS so that it does not scan files touched by certain processes Not supported for Windows 2000"
Ignore_Default="Default"

Save the file as an ADM file, making sure to choose All files *.* as the file type, and then use Group Policy to deploy the new setting, as described in Option 1, step 2,  in the KB article.

Thanks,

Kurt Sarens
SR. Security Support Engineer

Comments
  • Hi!

    Sorry, but I don't see anything in italics. So sholud I change the thing after the VALUENAME in "", and not the name "processname1" ?

    Am I right?

  • Hi there!

    You are correct - there was a formatting blip during the posting process. I've edited the ADM to show where the replaceables are.

    Thanks!

  • I have crafted an ADM using this template and my processes and applied it to the OU that contains my servers.

    GPMC shows the values are defined and set.  However when I look in the registry there is no "Process" node under the policy and and no excluded processes show in in the FF client.  So I don't see any evidence that these exclusions are being applied.  Am I missing something?

  • The GPO you create to apply the process exclusions has to have a higher link state order precedence (lower #) than the auto-created GPO containing the Forefront Policy.

    I had the FF policy first and my process exclusion policy second and wasn't getting the process exclusions.  I even created those regkeys by hand, but as soon as a did a gpupdate /force it wiped them out.

    The default FF policy must wipe out the "Processes" registry key, so you've got to make sure your policy wins.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment