Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

path exclusion for scans do not work

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

path exclusion for scans do not work

L1 Bithead

Hello to all,

 

I am experiencing a problem on a machine where scans are pushing the overall CPU load to 100% for several minutes to several hours and only slowly decreasing.

This causes problems for the use of the Syngo.Via software installed on this machine and the syngo.via server is not responding, the syngo.via clients are not usable and freeze/plant or respond very slowly.

In the documentation of this software there are exclusions to be made in the antivirus:
- C:\ISPACE\*.* (if present)
- C:\Program Files\Siemens\*.*
- C:\Program Files (x86)\Siemens\*.*
- C:\store\*.*
- C:\sysmgtmt\*
- C:\WindowsInstaller*.
- D:\SQL_DATA\*.*
- D:\MSSQL13.MSSQLSERVER_SYDS\*.* ([13] depends on the instance)
- E:\frontier\* (if present)
- E:\storagefw\*.
- E:\sysmgtmt\*.
- M:\BackupRestore\MSSQL
- N:\WindowsImageBackup\*.
-S:\*.*

as well as the options to be deactivated:

-
Do not scan compressed files.
No compressed files should be scanned as this may lead to performance issues. However, scan compressed files during scheduled full scans!
-
Deactivate heuristic search.
Heuristic search should not be activated as the risk of false positives may arise.
-
Deactivate advanced intrusion detection/prevention (IDS/IPS) and firewall features.
Virus protection suites (for example, suites including firewall and intrusion detection applications) are not supported. Deactivate additional features.
- If you are able to define a default warning text in case an infected file is found, set it to "Virus Scan Alert!
- Only the following actions should be performed if an infected file is found:
- Set the found file to quarantine.
- Write an event to the event log.
To prevent data loss in case of false positives, do not delete or repair infected files automatically. You have to check files manually and delete them if necessary.
- Only the following actions should be performed if spyware, adware, dialers, hack tools, trackware, password crackers, trojans, joke p programs, or key loggers are found:
- Set the found file to quarantine.
- Write an event to the event log.
- In case of remote administrator tools, ignore findings but create events.
- In case of other unwanted programs, ignore findings but create events.

 

All paths have been added to all modules of the malware profile

 

 

I did add these paths to the exclusions but cortex keeps scanning them, I don't know why can you help me?

 

And where to disable Syngo recommendations (compressed, heuristic, etc )?

 

Thank you

4 REPLIES 4

L4 Transporter

Hi @S-LEGOUGE , 

thanks for writting us in livecommunity. 

Im sorry that your message got unanswered for a while, Ive just found it unanswered.

After reading your message and realizing about your issue, I would recommend to open a TAC support ticket. 

I hope this helped,

eLuis 

Hi @eluis ,

 

One case is currently open and troubleshooting is underway with support.

 

Thank you

 

Regards,

L0 Member

Was this ever solved? If yes, how? Maybe with a support exception that is disabling syscalls?

L0 Member

we have the same problem. Excluding all this number of directories, as requested in Siemens documentation, opens the door to injecting malicious stuff. Thanks

  • 3325 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!