Jump to content

Are exclusions necessary?

Gator

By Gator,
in Emsisoft Anti-Malware Home

 Share

Recommended Posts

JeremyNicoll

JeremyNicoll

Posted
Posted

It's not a matter of whether you believe The Register or not.   If you exclude a folder then you have to be aware that any file that gets into that folder, for any reason, not necessarily a malicious one, will be ignored, not just the files that were there originally.  Worse, if any of the files present get infected, those infections will be ignored.  

Link to comment
Share on other sites
GT500

GT500

Posted
Posted
14 hours ago, digmor crusher said:

http://www.theregister.co.uk/2016/12/07/clever_crims_using_av_exclusion_lists_as_malware_safe_harbour/

 

Something to ponder.

The article is specifically about malware authors abusing commonly excluded folders that security software vendors have published in their support documentation.

Also keep in mind that if you exclude the EAM folder in another anti-virus software, then EAM's self-protection is still going to keep any applications from saving files in the EAM folder. I imagine that most other security software has some sort of protection mechanism like this as well.

There's also the fact that, unless you manually save a malicious file in an excluded folder, then it still has to find a way to get there. It would be difficult for malware to do this without generating a Behavior Blocker alert, and if someone found a way to do it and we saw it in-the-wild then we would simply update our Behavior Blocker to catch it and alert for it.

Link to comment
Share on other sites
digmor crusher

digmor crusher

Posted
Posted

I was in no way implying that people should not make exclusions if they need to, it was just an article I came upon and thought maybe some following this thread may like to read . I would have no problems making exclusions if I needed to, fortunately all my programs play well together and I have never had a need for exclusions.

Link to comment
Share on other sites
GT500

GT500

Posted
Posted
17 hours ago, JeremyNicoll said:

What might be useful, in some circumstances anyway, would be an option for making an exclusion that caused EIS to store some sort of hash of the directory listing of that folder, so that unchanged files in the folder would remain excluded but any new file that arrived in the folder would not be excluded.  Clearly that would be a nuisance for some folders where the current behaviour would be 'better'. 

Unfortunately hash generation takes time, and for an entire directory it could easily take a ridiculous amount of time. My best guess is that it would lead to system freezing as new files were saved in a folder, unless the feature only applied to the on-demand scanner.

Using file size and last modified date would significantly reduce the amount of processing that would be needed to pull such a thing off, but obviously wouldn't be infallible. Granted, neither are hashes.

 

14 hours ago, Gator said:

Here's my exclusions, If I should add or change anything please let me know.

Add an asterisk at the end of each path. Like this:

EAM_v12_Exclusions_Example.png

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2022 Emsisoft - 05/25/2022 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...