Setting a process exclusion in your network
Trust me, one of these days you will need to exclude a process from being scanned by FCS. Or maybe you already crossed that bridge.
You added a process exclusion using the GUI, it worked like a charm. As you need to have this exclusion set on all your systems, you opened the FCS console and edited the policy… At that time, you probably discovered that process exclusion cannot be set with the FCS policy.
I can hear you asking why not:
FCS is supported on multiple platforms (https://technet.microsoft.com/en-us/library/bb404245.aspx). One of them is Windows 2000 SP4 with Update Rollup 1, and process exclusions are not supported on this platform, because the only way to retrieve the process name is by using PEB (Process Environment Block), which resides in User mode. User mode processes can easily be manipulated (what we don’t want).
If you do set process exclusion on a computer running Windows 2000 with FCS installed, you will notice that the FCSAM service doesn’t want to start, which is something we definitely don’t want to happen.
No need to say what the impact would be if you would deploy a policy with process exclusion on systems running Windows 2000… To prevent this bad scenario, process exclusions cannot be set via an FCS policy.
However, you can deploy (at your own risk) process exclusions via a Group Policy Object (GPO).
A couple of notes for this particular entry:
- This setting uses the path to the process to be excluded as the name of the registry key. Note the placeholders in the text of the sample ADM file below in italics. In order to change the process to exclude, you must change the registry key (VALUENAME), and not the data.
- Already running processes will not be excluded, and you need to restart the processes you want to exclude.
Below you can find an example of the content of such an ADM file – to save the ADM file, start Notepad, and then copy and paste the following text into the Notepad file:
CLASS MACHINE
CATEGORY !!FCSCategory
POLICY !!Exclusion_Name
KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes"
EXPLAIN !!Exclusion_Explain
Part "ProcessName1" DROPDOWNLIST REQUIRED
VALUENAME " <path to program>\program1.exe"
ITEMLIST
NAME Processname1 VALUE NUMERIC 0 DEFAULT
END ITEMLIST
END PART
Part "ProcessName2" DROPDOWNLIST REQUIRED
VALUENAME " <path to program>\program1.exe"
ITEMLIST
NAME Processname2 VALUE NUMERIC 0 DEFAULT
END ITEMLIST
END PART
Part "ProcessName3" DROPDOWNLIST REQUIRED
VALUENAME " <path to program>\program1.exe"
ITEMLIST
NAME ProcessName3 VALUE NUMERIC 0 DEFAULT
END ITEMLIST
END PART
END POLICY
END CATEGORY
[strings]
FCSCategory="Microsoft Forefront Client Security"
Exclusion_Name="FCS Process Exclusion"
Exclusion_Description="Setting a process to be excluded from FCS scans."
Exclusion_Explain="Allows setting process exclusions for FCS so that it does not scan files touched by certain processes Not supported for Windows 2000"
Ignore_Default="Default"
Save the file as an ADM file, making sure to choose All files *.* as the file type, and then use Group Policy to deploy the new setting, as described in Option 1, step 2, in the KB article.
Thanks,
Kurt Sarens
SR. Security Support Engineer
Comments
Anonymous
January 01, 2003
Hi there! You are correct - there was a formatting blip during the posting process. I've edited the ADM to show where the replaceables are. Thanks!Anonymous
January 01, 2003
Hi! Sorry, but I don't see anything in italics. So sholud I change the thing after the VALUENAME in "", and not the name "processname1" ? Am I right?Anonymous
January 01, 2003
I have crafted an ADM using this template and my processes and applied it to the OU that contains my servers. GPMC shows the values are defined and set. However when I look in the registry there is no "Process" node under the policy and and no excluded processes show in in the FF client. So I don't see any evidence that these exclusions are being applied. Am I missing something?Anonymous
January 01, 2003
The GPO you create to apply the process exclusions has to have a higher link state order precedence (lower #) than the auto-created GPO containing the Forefront Policy. I had the FF policy first and my process exclusion policy second and wasn't getting the process exclusions. I even created those regkeys by hand, but as soon as a did a gpupdate /force it wiped them out. The default FF policy must wipe out the "Processes" registry key, so you've got to make sure your policy wins.