Setting a process exclusion in your network

Trust me, one of these days you will need to exclude a process from being scanned by FCS. Or maybe you already crossed that bridge.

You added a process exclusion using the GUI, it worked like a charm. As you need to have this exclusion set on all your systems, you opened the FCS console and edited the policy… At that time, you probably discovered that process exclusion cannot be set with the FCS policy.

I can hear you asking why not:

FCS is supported on multiple platforms (https://technet.microsoft.com/en-us/library/bb404245.aspx). One of them is Windows 2000 SP4 with Update Rollup 1, and process exclusions are not supported on this platform, because the only way to retrieve the process name is by using PEB (Process Environment Block), which resides in User mode. User mode processes can easily be manipulated (what we don’t want).

If you do set process exclusion on a computer running Windows 2000 with FCS installed, you will notice that the FCSAM service doesn’t want to start, which is something we definitely don’t want to happen.

No need to say what the impact would be if you would deploy a policy with process exclusion on systems running Windows 2000… To prevent this bad scenario, process exclusions cannot be set via an FCS policy.

However, you can deploy (at your own risk) process exclusions via a Group Policy Object (GPO).

A couple of notes for this particular entry:

  • This setting uses the path to the process to be excluded as the name of the registry key. Note the placeholders in the text of the sample ADM file below in italics. In order to change the process to exclude, you must change the registry key (VALUENAME), and not the data.
  • Already running processes will not be excluded, and you need to restart the processes you want to exclude.

Below you can find an example of the content of such an ADM file – to save the ADM file, start Notepad, and then copy and paste the following text into the Notepad file:

CLASS MACHINE
CATEGORY !!FCSCategory
POLICY !!Exclusion_Name
KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes"
EXPLAIN !!Exclusion_Explain
Part "ProcessName1" DROPDOWNLIST REQUIRED
VALUENAME " <path to program>\program1.exe"
ITEMLIST
NAME Processname1 VALUE NUMERIC 0 DEFAULT
END ITEMLIST
END PART
Part "ProcessName2" DROPDOWNLIST REQUIRED
VALUENAME " <path to program>\program1.exe"
ITEMLIST
NAME Processname2 VALUE NUMERIC 0 DEFAULT
END ITEMLIST
END PART
Part "ProcessName3" DROPDOWNLIST REQUIRED
VALUENAME " <path to program>\program1.exe"
ITEMLIST
NAME ProcessName3 VALUE NUMERIC 0 DEFAULT
END ITEMLIST
END PART
END POLICY
END CATEGORY

[strings]

FCSCategory="Microsoft Forefront Client Security"
Exclusion_Name="FCS Process Exclusion"
Exclusion_Description="Setting a process to be excluded from FCS scans."
Exclusion_Explain="Allows setting process exclusions for FCS so that it does not scan files touched by certain processes Not supported for Windows 2000"
Ignore_Default="Default"

Save the file as an ADM file, making sure to choose All files *.* as the file type, and then use Group Policy to deploy the new setting, as described in Option 1, step 2,  in the KB article.

Thanks,

Kurt Sarens
SR. Security Support Engineer