I use EPS with SOA console. The other day, I had a false positive on a file which is an integral part of a mission critical program. I went to every single computer in the building, restored the file from the virus chest, created an exclusion on my system scan job, and thought the problem would be resolved. However, the next day the same file was once again detected. Furthermore, I had a few more detections under a folder which I long ago excluded. Do exclusions work at all? Here are the exlusions as I have them set:
Do environmental variables and wildcards work in avast? Also, is there any way to push a mass restore command to all clients from SOA? I’m not looking forward to having to go to every computer in the building each day until the false positive report I submitted gets resolved…
edit Forgot to mention that I also added %allusersprofile%\bluezone\adpinit.exe as an file shield exclusion after the initial false positive two days ago.
Hi,
where you’ve put the exclusion? Only under the system scan job?
You must put the exclusion also under the group->shield settings->file system shield->exclusion
I’ll suggest you also to use these type of exclusion
*\bluezone\adpinit.exe
and
*\windows\winsxs*
%allusersprofile%\bluezone\adpinit.exe couldn’t work properly
Thanks for the help. I’m still not certain why c:\windows\winsxs* hasn’t been working. I understand why it may be better (generally speaking) to use the wildcard instead of the drive letter, but every computer I manage uses C as the system drive, so there’s no reason this should not be working. I also have these exclusions set under the file system shield, but it’s the scheduled scans which are detecting them nonetheless. I have now added *\windows\winsxs* to the global exclusions as well. Hopefully that will help.
The mask is matched “as is” - i.e. if the false detection was shown as “%allusersprofile%\bluezone\adpinit.exe”, then it would work. If it’s shown as “C:\ProgramData\bluezone\adpinit.exe”, then it wouldn’t.
c:\windows\winsxs* should work though (if it’s detected this way).
Really disappointed in this. I have tried every combination I can think of on the winsxs folder, with no success. I have tried the full path, *\windows\winsxs*, *\winsxs*, winsxs, everything I can think of, and yet I still get almost daily detections in this folder. I have applied these settings to scheduled scans, file shield, and global exclusions, and none of these work. I have checked with the client computers, and these exclusions are being propagated; they simply don’t work.
Is there anyone out there who has actually gotten an exclusion to work using SOA? As far as I can tell, exclusions are completely broken.