Scenario 2 - Use the
Low-Risk Processes policy to implement an exclusion. We use the
Agent.exe process as an example process that performs many file I/O WRITE actions to a commonly used folder
C:\Temp on client computers.
With only the
Default Processes policy in use:
- The Agent.exe process writes a file to C:\Temp.
- ENS scans the file.
- The Agent.exe writes more data to the same file in C:\Temp.
- ENS scans the file again.
ENS scans each file write because the file is new or has been modified. This scan occurs for each change to the original file and for any newly created files.
The activity generated by this process can cause the scanner to use large quantities of system resources. The reason is because of the number of scans needed for each file.
With
Agent.exe added to the
Low-Risk Processes policy:
You can add the
Agent.exe process to the
Low-Risk Processes to alleviate the performance issue. There are several possible methods:
- Exclude C:\Temp from WRITE operations.
- Exclude C:\Temp\**.TMP from WRITE operations.
- Exclude .TMP files.
The solution that creates the least risk is to exclude
C:\Temp\**.TMP from WRITE operations. Only exclude
.TMP files found in the
C:\Temp folder from scanning when they’re being written to the disk with
Agent.exe.
What Risks Does This Scenario Introduce?
It’s possible for an unknown threat with a process named Agent.exe to write or modify .TMP files in the C:\Temp folder and avoid being scanned.
Risk 1 - Assuming there’s a virus/trojan with an executable file named Agent.exe:
- First, the virus/trojan would have to be written to the disk. If written to the disk:
- ENS detects the writing to the disk if the DATs include detection for the threat.
- ENS denies the file creation if the method used to create this file breaches an Access Protection rule.
- The file would have to be executed (or read) so it can propagate and deliver its payload. If executed:
- ENS detects the execution if the DATs include detection for the threat.
- ENS denies the file execution if the method used to start the file breaches an Access Protection rule.
NOTE: Even with Low-Risk Processes policies in use, there are multiple layers of protection from potentially infected files.
- The virus/trojan Agent.exe now runs. It tries to write .JPG and .DOC files to the C:\Temp folder.
- ENS detects the running if the DATs include detection for the threat. The exclusion only involves .TMP files that are written to the folder.
- ENS denies the file WRITE if an Access Protection rule exists for this behavior.
NOTE: The virus/trojan has executed and might be running in memory. But, its activities can still be interrupted when DATs are updated or by implementing a new Access Protection rule. When the DATs are updated and this virus/trojan is found, it’s removed from memory as part of the cleanup process.
Risk 2 - A READ action occurs to execute the infected file:
- ENS detects this execution if the DATs include detection for the threat. READ actions aren’t excluded.
- ENS denies the READ if an Access Protection rule exists for this behavior.
IMPORTANT: There’s some risk associated with using the
High-Risk / Low-Risk Processes policies. Generally, the risk is minimal and you must assess it on a case-by-case basis. To obtain better product performance, you must determine the degree of acceptable risk.
