path exclusion for scans do not work

S-LEGOUGE — Wed, 07 Dec 2022 14:27:04 GMT

Hello to all,

I am experiencing a problem on a machine where scans are pushing the overall CPU load to 100% for several minutes to several hours and only slowly decreasing.

This causes problems for the use of the Syngo.Via software installed on this machine and the syngo.via server is not responding, the syngo.via clients are not usable and freeze/plant or respond very slowly.

In the documentation of this software there are exclusions to be made in the antivirus:
- C:\ISPACE\*.* (if present)
- C:\Program Files\Siemens\*.*
- C:\Program Files (x86)\Siemens\*.*
- C:\store\*.*
- C:\sysmgtmt\*
- C:\WindowsInstaller*.
- D:\SQL_DATA\*.*
- D:\MSSQL13.MSSQLSERVER_SYDS\*.* ([13] depends on the instance)
- E:\frontier\* (if present)
- E:\storagefw\*.
- E:\sysmgtmt\*.
- M:\BackupRestore\MSSQL
- N:\WindowsImageBackup\*.
-S:\*.*

as well as the options to be deactivated:

-
Do not scan compressed files.
No compressed files should be scanned as this may lead to performance issues. However, scan compressed files during scheduled full scans!
-
Deactivate heuristic search.
Heuristic search should not be activated as the risk of false positives may arise.
-
Deactivate advanced intrusion detection/prevention (IDS/IPS) and firewall features.
Virus protection suites (for example, suites including firewall and intrusion detection applications) are not supported. Deactivate additional features.
- If you are able to define a default warning text in case an infected file is found, set it to "Virus Scan Alert!
- Only the following actions should be performed if an infected file is found:
- Set the found file to quarantine.
- Write an event to the event log.
To prevent data loss in case of false positives, do not delete or repair infected files automatically. You have to check files manually and delete them if necessary.
- Only the following actions should be performed if spyware, adware, dialers, hack tools, trackware, password crackers, trojans, joke p programs, or key loggers are found:
- Set the found file to quarantine.
- Write an event to the event log.
- In case of remote administrator tools, ignore findings but create events.
- In case of other unwanted programs, ignore findings but create events.

All paths have been added to all modules of the malware profile

I did add these paths to the exclusions but cortex keeps scanning them, I don't know why can you help me?

And where to disable Syngo recommendations (compressed, heuristic, etc )?

Thank you

Re: path exclusion for scans do not work

eluis — Wed, 18 Jan 2023 10:01:04 GMT

Hi @S-LEGOUGE ,

thanks for writting us in livecommunity.

Im sorry that your message got unanswered for a while, Ive just found it unanswered.

After reading your message and realizing about your issue, I would recommend to open a TAC support ticket.

I hope this helped,

eLuis

Re: path exclusion for scans do not work

S-LEGOUGE — Wed, 18 Jan 2023 10:09:02 GMT

Hi @eluis ,

One case is currently open and troubleshooting is underway with support.

Thank you

Regards,

Re: path exclusion for scans do not work

OMI_RLI — Fri, 12 Jan 2024 11:07:19 GMT

Was this ever solved? If yes, how? Maybe with a support exception that is disabling syscalls?

Re: path exclusion for scans do not work

adeprt1705 — Fri, 08 Nov 2024 07:12:29 GMT

we have the same problem. Excluding all this number of directories, as requested in Siemens documentation, opens the door to injecting malicious stuff. Thanks

topic Re: path exclusion for scans do not work in Cortex XDR Discussions

path exclusion for scans do not work

Re: path exclusion for scans do not work

Re: path exclusion for scans do not work

Re: path exclusion for scans do not work

Re: path exclusion for scans do not work