Since the August 2009 antimalware engine update we support wildcards in path exclusions for on-demand scans (quick/full/custom scan).
It is important to note that Wildcards in path exclusions will not work for Real Time Protection and will be ignored (this does not apply to extension exclusions).
For on-demand scans, this will allow you to exclude paths such as: "C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent"
The above example excludes the same path for all users folders. This can improve performance with scheduled scans and on-demand-scans.
Since Real-Time Protection (RTP) will not honor the wildcards, you will not be able to use the wildcard exclusion to prevent detection or avoid any RTP performance issues. In these cases you will have to use the full path.
Additional information about the use of wildcards:
c:\temp is the same as c:\temp\* and c:\temp\*\
When the wildcard is the last character in the exclusion, it is treated the same as not having the wildcard, and all subfolders will be excluded.
The wildcard within the path can be used to represent a complete folder name.
One character or null
If the exclusion is c:\? and you scan c:\e, the file is excluded.
If the exclusion is c:\??car, both eicar and mycar would be excluded.
Senior Support Escalation Engineer
Last week was a very busy one for the team. At our public beta launch at IT Forum in Barcelona, we were being constantly asked if 64-bit clients were included in the beta. We had a very simple, consistent response… “The product team is working hard to complete the release of our 64-bit clients. We are wrapping up some last minute validation and investigations, but expect them to be available very soon.”
Well, I am very happy to say that “very soon” has come and that the 64-bit clients are now available for download. Please take them for a test-drive! The installation package is for use with the Microsoft Forefront Client Security public beta release that was published earlier last week.
[12/13/2006] The download link above is now updated to point to the current full release that has completed 64-bit clients.
Trust me, one of these days you will need to exclude a process from being scanned by FCS. Or maybe you already crossed that bridge.
You added a process exclusion using the GUI, it worked like a charm. As you need to have this exclusion set on all your systems, you opened the FCS console and edited the policy… At that time, you probably discovered that process exclusion cannot be set with the FCS policy.
I can hear you asking why not:
FCS is supported on multiple platforms (http://technet.microsoft.com/en-us/library/bb404245.aspx). One of them is Windows 2000 SP4 with Update Rollup 1, and process exclusions are not supported on this platform, because the only way to retrieve the process name is by using PEB (Process Environment Block), which resides in User mode. User mode processes can easily be manipulated (what we don’t want).
If you do set process exclusion on a computer running Windows 2000 with FCS installed, you will notice that the FCSAM service doesn’t want to start, which is something we definitely don’t want to happen.
No need to say what the impact would be if you would deploy a policy with process exclusion on systems running Windows 2000… To prevent this bad scenario, process exclusions cannot be set via an FCS policy.
However, you can deploy (at your own risk) process exclusions via a Group Policy Object (GPO).
A couple of notes for this particular entry:
Below you can find an example of the content of such an ADM file – to save the ADM file, start Notepad, and then copy and paste the following text into the Notepad file:
CLASS MACHINECATEGORY !!FCSCategory POLICY !!Exclusion_Name KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes" EXPLAIN !!Exclusion_Explain Part "ProcessName1" DROPDOWNLIST REQUIRED VALUENAME "<path to program>\program1.exe" ITEMLIST NAME Processname1 VALUE NUMERIC 0 DEFAULT END ITEMLIST END PART Part "ProcessName2" DROPDOWNLIST REQUIRED VALUENAME "<path to program>\program1.exe" ITEMLIST NAME Processname2 VALUE NUMERIC 0 DEFAULT END ITEMLIST END PART Part "ProcessName3" DROPDOWNLIST REQUIRED VALUENAME "<path to program>\program1.exe" ITEMLIST NAME ProcessName3 VALUE NUMERIC 0 DEFAULT END ITEMLIST END PART END POLICYEND CATEGORY
FCSCategory="Microsoft Forefront Client Security"Exclusion_Name="FCS Process Exclusion"Exclusion_Description="Setting a process to be excluded from FCS scans."Exclusion_Explain="Allows setting process exclusions for FCS so that it does not scan files touched by certain processes Not supported for Windows 2000"Ignore_Default="Default"
Save the file as an ADM file, making sure to choose All files *.* as the file type, and then use Group Policy to deploy the new setting, as described in Option 1, step 2, in the KB article.
Kurt Sarens SR. Security Support Engineer
By default, the FEP 2010 Deployment – Install package is configured to download and run the installation program on the client computer. If you modify the advertisement to run the install from the Distribution Point (DP), the install fails with the following error message:
“The program for advertisement "XYZ" failed ("XYZ - "Install"). The failure description was "FEP failed compiling CCM_ISV_SoftwarePolicy required for applying policy. Error code: 0x1".”
If you want to run the FEP Client install from the DP you need to do the following:
Gershon Levitz, Technical Writer MSDiX
So have you ever wondered what the Microsoft SpyNet opt in page is really all about?
Microsoft SpyNet is a cloud service that allows the FEP or MSE client on your computer to report information about programs that exhibit suspicious behavior to the Microsoft Malware Protection Center (MMPC) researchers. When this information is reported, definitions for previously unknown threats can be created and distributed, minimizing the time that a new threat is spreading in the wild before protection is available. (Note: older clients, like FCS and Windows Defender, also participate in SpyNet, but to get the full benefits of SpyNet, which includes Dynamic Signature Service, you should move to FEP or MSE.)
Additionally, when your FEP or MSE client reports new malware to the Microsoft SpyNet cloud service, the Dynamic Signature Service can recognize when a definition is available but not yet released, and deliver that definition for that specific threat in real-time from the cloud. Upon delivery of the dynamic signature, the threat will be detected and can be removed from the system
Hey – here’s a thought. Take 3 minutes and watch this – Microsoft SpyNet and the Dynamic Signature Service in action: