Virus scan service
Dear SAP gurus:),
i am trying to set up the virus scan service in our EP.
I used the virus scan adapter for testing (attachment of note 786179). I did also same steps like in this blog https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/2454. [original link is broken] [original link is broken] [original link is broken] [original link is broken] [original link is broken] [original link is broken]
I did succesfully all steps in the visual administrator and the virus scan adapter is working fine(i can test it http://portalhostname:port/vscantest).
But there is a problem with configuration of Virus scan service in EP.
I have set up the profile, group and service, but when i try to do some report (Content Administration -> KM content -> Toolbox -> Reports -> Virus scan), the following error will appear:
System error (com.sapportals.wcm.repository.VirusContentException): Operation failed. Error scanning document - contact your system administrator
Any ideas how to solve it?
Does anybody have some experience with the testing VSA from SAP?
Thank you!
Dan
Hi Daniel,
have you been able to solve your problem, unfortunately no answers so far.
greetings,
Richard
Similar Messages
-
Configuring Virus Scan Service for KM in EP7.0 18
Dear gurus,
I did virus scan configurations in ep7.0 18 but I couldn't do the configurations in KM.
Is there a blog or document? All the blogs and documents are about Configuring Virus Scan Service for KM in EP 6.0.
Best regards
TolgaHi Tolga,
The configuration should be much the same, the only difference is that since SP13 you don't need to create profiles or groups any more, this is done automatically, you just need to activate two profiles in the AS Java. See the following link for more information:
http://help.sap.com/saphelp_nw70/helpdata/EN/b8/f5af401efd8f2ae10000000a155106/frameset.htm
Regards,
Lorcan. -
HI all,
i am configuring the Virus Scan for KM.
i downloaded the VS Adapter from the SAP and created group,providers and profile in the visual admin.
i checked in <server_name>:<serverpot>vscantest its working fine.
but i could view that services in the KM Framework. can anybody help me for this.
helpful answer will appreciated.
regards,
Kathiresan RHi
You can find the Virus scan services in Content Admin->KM content->Toolbox->Reports.Here You will find the Virus scan service with which You can scan the reports and can schedule the scanning.
Hope This Helps.
Regards
Hussain. -
How do I virus scan my iMac with OS X
How do I virus scan my iMac with OS X?
Mac users often ask whether they should install "anti-virus" software. The answer usually given on ASC is "no." The answer is right, but it may give the wrong impression that there is no threat from what are loosely called "viruses." There is a threat, and you need to educate yourself about it.
1. This is a comment on what you should—and should not—do to protect yourself from malicious software ("malware") that circulates on the Internet and gets onto a computer as an unintended consequence of the user's actions. It does not apply to software, such as keystroke loggers, that may be installed deliberately by an intruder who has hands-on access to the computer, or who has been able to log in to it remotely. That threat is in a different category, and there's no easy way to defend against it.
The comment is long because the issue is complex. The key points are in sections 5, 6, and 10.
OS X now implements three layers of built-in protection specifically against malware, not counting runtime protections such as execute disable, sandboxing, system library randomization, and address space layout randomization that may also guard against other kinds of exploits.
2. All versions of OS X since 10.6.7 have been able to detect known Mac malware in downloaded files, and to block insecure web plugins. This feature is transparent to the user. Internally Apple calls it "XProtect."
The malware recognition database used by XProtect is automatically updated; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders.
The following caveats apply to XProtect:
☞ It can be bypassed by some third-party networking software, such as BitTorrent clients and Java applets.
☞ It only applies to software downloaded from the network. Software installed from a CD or other media is not checked.
As new versions of OS X are released, it's not clear whether Apple will indefinitely continue to maintain the XProtect database of older versions such as 10.6. The security of obsolete system versions may eventually be degraded. Security updates to the code of obsolete systems will stop being released at some point, and that may leave them open to other kinds of attack besides malware.
3. Starting with OS X 10.7.5, there has been a second layer of built-in malware protection, designated "Gatekeeper" by Apple. By default, applications and Installer packages downloaded from the network will only run if they're digitally signed by a developer with a certificate issued by Apple. Software certified in this way hasn't necessarily been tested by Apple, but you can be reasonably sure that it hasn't been modified by anyone other than the developer. His identity is known to Apple, so he could be held legally responsible if he distributed malware. That may not mean much if the developer lives in a country with a weak legal system (see below.)
Gatekeeper doesn't depend on a database of known malware. It has, however, the same limitations as XProtect, and in addition the following:
☞ It can easily be disabled or overridden by the user.
☞ A malware attacker could get control of a code-signing certificate under false pretenses, or could simply ignore the consequences of distributing codesigned malware.
☞ An App Store developer could find a way to bypass Apple's oversight, or the oversight could fail due to human error.
Apple has so far failed to revoke the codesigning certificates of some known abusers, thereby diluting the value of Gatekeeper and the Developer ID program. These failures don't involve App Store products, however.
For the reasons given, App Store products, and—to a lesser extent—other applications recognized by Gatekeeper as signed, are safer than others, but they can't be considered absolutely safe. "Sandboxed" applications may prompt for access to private data, such as your contacts, or for access to the network. Think before granting that access. Sandbox security is based on user input. Never click through any request for authorization without thinking.
4. Starting with OS X 10.8.3, a third layer of protection has been added: a "Malware Removal Tool" (MRT). MRT runs automatically in the background when you update the OS. It checks for, and removes, malware that may have evaded the other protections via a Java exploit (see below.) MRT also runs when you install or update the Apple-supplied Java runtime (but not the Oracle runtime.) Like XProtect, MRT is effective against known threats, but not against unknown ones. It notifies you if it finds malware, but otherwise there's no user interface to MRT.
5. The built-in security features of OS X reduce the risk of malware attack, but they are not, and never will be, complete protection. Malware is a problem of human behavior, and a technological fix is not going to solve it. Trusting software to protect you will only make you more vulnerable.
The best defense is always going to be your own intelligence. With the possible exception of Java exploits, all known malware circulating on the Internet that affects a fully-updated installation of OS X 10.6 or later takes the form of so-called "Trojan horses," which can only have an effect if the victim is duped into running them. The threat therefore amounts to a battle of wits between you and the scam artists. If you're smarter than they think you are, you'll win. That means, in practice, that you always stay within a safe harbor of computing practices. How do you know when you're leaving the safe harbor? Below are some warning signs of danger.
Software from an untrustworthy source
☞ Software of any kind is distributed via BitTorrent, or Usenet, or on a website that also distributes pirated music or movies.
☞ Software with a corporate brand, such as Adobe Flash Player, doesn't come directly from the developer’s website. Do not trust an alert from any website to update Flash, or your browser, or any other software.
☞ Rogue websites such as Softonic and CNET Download distribute free applications that have been packaged in a superfluous "installer."
☞ The software is advertised by means of spam or intrusive web ads. Any ad, on any site, that includes a direct link to a download should be ignored.
Software that is plainly illegal or does something illegal
☞ High-priced commercial software such as Photoshop is "cracked" or "free."
☞ An application helps you to infringe copyright, for instance by circumventing the copy protection on commercial software, or saving streamed media for reuse without permission.
Conditional or unsolicited offers from strangers
☞ A telephone caller or a web page tells you that you have a “virus” and offers to help you remove it. (Some reputable websites did legitimately warn visitors who were infected with the "DNSChanger" malware. That exception to this rule no longer applies.)
☞ A web site offers free content such as video or music, but to use it you must install a “codec,” “plug-in,” "player," "downloader," "extractor," or “certificate” that comes from that same site, or an unknown one.
☞ You win a prize in a contest you never entered.
☞ Someone on a message board such as this one is eager to help you, but only if you download an application of his choosing.
☞ A "FREE WI-FI !!!" network advertises itself in a public place such as an airport, but is not provided by the management.
☞ Anything online that you would expect to pay for is "free."
Unexpected events
☞ A file is downloaded automatically when you visit a web page, with no other action on your part. Delete any such file without opening it.
☞ You open what you think is a document and get an alert that it's "an application downloaded from the Internet." Click Cancel and delete the file. Even if you don't get the alert, you should still delete any file that isn't what you expected it to be.
☞ An application does something you don't expect, such as asking for permission to access your contacts, your location, or the Internet for no obvious reason.
☞ Software is attached to email that you didn't request, even if it comes (or seems to come) from someone you trust.
I don't say that leaving the safe harbor just once will necessarily result in disaster, but making a habit of it will weaken your defenses against malware attack. Any of the above scenarios should, at the very least, make you uncomfortable.
6. Java on the Web (not to be confused with JavaScript, to which it's not related, despite the similarity of the names) is a weak point in the security of any system. Java is, among other things, a platform for running complex applications in a web page, on the client. That was always a bad idea, and Java's developers have proven themselves incapable of implementing it without also creating a portal for malware to enter. Past Java exploits are the closest thing there has ever been to a Windows-style virus affecting OS X. Merely loading a page with malicious Java content could be harmful.
Fortunately, client-side Java on the Web is obsolete and mostly extinct. Only a few outmoded sites still use it. Try to hasten the process of extinction by avoiding those sites, if you have a choice. Forget about playing games or other non-essential uses of Java.
Java is not included in OS X 10.7 and later. Discrete Java installers are distributed by Apple and by Oracle (the developer of Java.) Don't use either one unless you need it. Most people don't. If Java is installed, disable it—not JavaScript—in your browsers.
Regardless of version, experience has shown that Java on the Web can't be trusted. If you must use a Java applet for a task on a specific site, enable Java only for that site in Safari. Never enable Java for a public website that carries third-party advertising. Use it only on well-known, login-protected, secure websites without ads. In Safari 6 or later, you'll see a lock icon in the address bar with the abbreviation "https" when visiting a secure site.
Stay within the safe harbor, and you’ll be as safe from malware as you can practically be. The rest of this comment concerns what you should not do to protect yourself.
7. Never install any commercial "anti-virus" (AV) or "Internet security" products for the Mac, as they are all worse than useless. If you need to be able to detect Windows malware in your files, use one of the free security apps in the Mac App Store—nothing else.
Why shouldn't you use commercial AV products?
☞ To recognize malware, the software depends on a database of known threats, which is always at least a day out of date. This technique is a proven failure, as a major AV software vendor has admitted. Most attacks are "zero-day"—that is, previously unknown. Recognition-based AV does not defend against such attacks, and the enterprise IT industry is coming to the realization that traditional AV software is worthless.
☞ Its design is predicated on the nonexistent threat that malware may be injected at any time, anywhere in the file system. Malware is downloaded from the network; it doesn't materialize from nowhere. In order to meet that nonexistent threat, commercial AV software modifies or duplicates low-level functions of the operating system, which is a waste of resources and a common cause of instability, bugs, and poor performance.
☞ By modifying the operating system, the software may also create weaknesses that could be exploited by malware attackers.
☞ Most importantly, a false sense of security is dangerous.
8. An AV product from the App Store, such as "ClamXav," has the same drawback as the commercial suites of being always out of date, but it does not inject low-level code into the operating system. That doesn't mean it's entirely harmless. It may report email messages that have "phishing" links in the body, or Windows malware in attachments, as infected files, and offer to delete or move them. Doing so will corrupt the Mail database. The messages should be deleted from within the Mail application.
An AV app is not needed, and cannot be relied upon, for protection against OS X malware. It's useful, if at all, only for detecting Windows malware, and even for that use it's not really effective, because new Windows malware is emerging much faster than OS X malware.
Windows malware can't harm you directly (unless, of course, you use Windows.) Just don't pass it on to anyone else. A malicious attachment in email is usually easy to recognize by the name alone. An actual example:
London Terror Moovie.avi [124 spaces] Checked By Norton Antivirus.exe
You don't need software to tell you that's a Windows trojan. Software may be able to tell you which trojan it is, but who cares? In practice, there's no reason to use recognition software unless an organizational policy requires it. Windows malware is so widespread that you should assume it's in everyemail attachment until proven otherwise. Nevertheless, ClamXav or a similar product from the App Store may serve a purpose if it satisfies an ill-informed network administrator who says you must run some kind of AV application. It's free and it won't handicap the system.
The ClamXav developer won't try to "upsell" you to a paid version of the product. Other developers may do that. Don't be upsold. For one thing, you should not pay to protect Windows users from the consequences of their choice of computing platform. For another, a paid upgrade from a free app will probably have all the disadvantages mentioned in section 7.
9. It seems to be a common belief that the built-in Application Firewall acts as a barrier to infection, or prevents malware from functioning. It does neither. It blocks inbound connections to certain network services you're running, such as file sharing. It's disabled by default and you should leave it that way if you're behind a router on a private home or office network. Activate it only when you're on an untrusted network, for instance a public Wi-Fi hotspot, where you don't want to provide services. Disable any services you don't use in the Sharing preference pane. All are disabled by default.
10. As a Mac user, you don't have to live in fear that your computer may be infected every time you install software, read email, or visit a web page. But neither can you assume that you will always be safe from exploitation, no matter what you do. Navigating the Internet is like walking the streets of a big city. It's as safe or as dangerous as you choose to make it. The greatest harm done by security software is precisely its selling point: it makes people feel safe. They may then feel safe enough to take risks from which the software doesn't protect them. Nothing can lessen the need for safe computing practices. -
Virus scan during file check-in or upload
Is there any option available for doing virus scan on file being check-in in UCM? Is there any UCM service/ webservice available to do virus scan?
If we've implement custom logic for same, what's the best practice or approach to be followed from UCM standpoint.Hi,
That can be done, for sure, but you will need an antivirus service(third party) that scans the actual file. Once you have that, you can communicate with it via some protocol and make the scanning requests. The service itself will be installed on some machine with all there is to it(according to the specs of the manufacturer) and then you can write a Java client/server (let's say) that adheres to the protocol the service imposes to make the communication possible. The service will do the scanning and your client/server will initiate the request, read the response, communicate with the WCC so on and so forth...
Considering that during the check-in the path of the file being checked-in is available and according to the service's API one can develop a flow that will scan the files before being actually checked-in. We have used SAVAPI - Secure AntiVirus Application Programming Interface (SAVAPI) from Avira that provides an interface to detect malware and repair infected files.
Regards,
Vlad -
Virus scan server Implementation
Hello,
We are planning to implement Virus scan server for CRM(ABAPJAVA) stack.We have CRM system(ABAPJAVA) running on Windows 64bit, And Anti virus semantic running on Windows . I need to install the virus scan server Interface for CRM(ABAP+JAVA) stack.I went to the help.sap.com found some of the URLu2019s for installation,creating RFCu2019s and etc..but did not get clear.If anyone know how to install,creating RFCu2019s and post configuration steps then please share.
Did anyone has full instllation document ?
-AhmedHello Marcus,
I already review the link you provided.Here is what I am looking for
Here is more about what I
needed
We have 4 SAP application servers for production environments ?Do we
need to install Virus scan adapter for all SAP Application servers ? or
only one ?
My SAP application server is 64bit but VSI Adapter is 32 bit, so can we
install both on same machine or VSA has to be install on different
server?
Software can be download from AVIRA (Avira GmbH supports)or
http://service.sap.com/swdc -> Download -> Support Packages and Patches-> SAP NetWeaver-> SAP NETWEAVER-> SAP NETWEAVER 2004S-> Entry by
Component-> Application Server ABAP-> SAP VIRUS SCAN INTERFACE?
Hope you can provide help. Thanks for your support
- Ahmed -
Virus scan profile activation in ODATA
Hi Experts,
I am facing an issue while uploading Image(*Base64 format)
into SAP through Netweaver Odata Gateway services. The issue is that the
content of the Image is supposed to come in a field that has datatype Xstring
but when we include a field with data type Xstring the framework starts giving
an error no virus scan profile is active . We did try various combinations of
Standard Virus Profile maintained , but no resolution came out of it. Now we
have created a new profile in customer namespace but now it gives an error
Incorrect Configuration for Profile <Profile Name>. We need help in
trying to figure out what is correct configuration that is to be maintained to
fix this issue.
There is an alternative that we deactivate the Virus Scan
profile through transaction /IWFND/VIRUS_SCAN and then we are able to post the
images , but this doesn’t look like an ideal solution as it would involve
transporting Virus scan profile to Production and quality and then deactivating
them over there manually.
I am getting error on "Recursive occurrence of virus scan profile in the sequence"
Please suggest.
Regards,
Dharmesh SharmaHi Joerg,
I found some soluation also. They shared a one document. i did the changes but still same problem.
Scan Profile setup
Transaction SM34 -> VSCAN_PROFILE_VC
Transaction /IWFND/VIRUS_SCAN
Set the Zprofile to the default
The Table /IWFND/C_CONFIG should have the entry
Please suggest . i have internal system and we dont have virus server. I am confused.
Regards,
Dharmesh -
Web Content Filtering / Virus Scanning appliance
Hello all,
I'm in the market for a content / url / virus scanning device for our network. We are currently using MXLogic's Web Defense service and while it's very cheap it is not suiting our needs. What I'm looking for is an appliance that will do content filtering but also virus / malware / spyware scanning on web traffic. I'd also need to be able to setup policies / groups for different set's of users. For instance the folks who purchase the products we sell need to be able to see our vendors media (streaming video) content while our sales folks don't. I can't currently do this with MXLogic, it's all or nothing.
Our firewall is an ASA5510 and I've looked at the Content Security SSM-10 module with the plus license and while the pricing is definitely attractive I have a few questions about it. Does it integrate with MS Active Directory? In other words and it filter based on groups and policies or is it more IP / ACL based? Also does it perform well?
I've also looked at the IronPort product cisco sell's and have similar questions regarding that mainly what are folks experience with it, is it something you would recommend?Hi Allen,
To answer your questions related to the CSC module:
1. No, the CSC module does not integrate with Active Directory. This is something that Trend Micro has in the works, but as of now there is no ETA for this functionality.
2. The CSC module will perform fairly well if used in the environment it was designed for. I would recommend taking a look at the CSC sizing guide to see if the CSC-SSM-10 would be something that is scalable enough for your network:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_white_paper0900aecd805c3cd6.html
I cannot speak to the performance/functionality of IronPort as I have not used it personally, but I have heard good things. Also, external appliances from Websense seem to be a popular choice when you need a product that is a bit more scalable or granular than what the CSC module can provide.
Hope that helps.
-Mike -
Unable to open the Virus Scan Provider in Visual Admin
Hello, dear experts!
[SAP WebAS 6.40 SP13 Windows]
We have downloaded and installed the latest Anti-Vir dll as a virus scan provider (they are officially certified provider).
After I tried to activate it gave me error message that the version of anti-virus software is incorrect.
I restarted the SAP WebAS and since then I can't even get to open the Virus Scan Provider service in Visual Admin anymore.
The Visual Admin complains on the status line:
java.lang.ClassNotFoundException: com.sap.security.core.server.vsi.gui.VSIRuntimeControl.
So I can't even change it back now.
Please help!The problem went away once I rebooted the machine.
-
Virus Scan Interface (VSI) for external Virus Scanner Certification
Hello *,
I'm searching for Information's, how to certify an external scan software for the SAP VSI - Interface? Which person can I contact to get detailed information's or are there some more information's in the SDN, SAP Homepage and SAP Service Marketplace?
Regards IngoHi Ingo,
The ICC has this interface: Security - SAP Virus Scan Interface (NW-VSI)
SAP NetWeaver - SAP Virus Scan Interface 2.0 (NW-VSI 2.0) [original link is broken] which might help you answer your question. Let me know if this helps!
Regards,
John Ta -
Hi there!
I am just wondering what the best virus scan or malware apps out there are. What are some that you all have had success with?There is no need to download anything to solve this problem.
You may have installed the "VSearch" trojan, perhaps under a different name. Remove it as follows.
Malware is constantly changing to get around the defenses against it. The instructions in this comment are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.
Back up all data before proceeding.
Step 1
From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall any extensions you don't know you need, including any that have the word "Spigot," "Trovi," or "Conduit" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.
Reset the home page and default search engine in all the browsers, if it was changed.
Step 2
Triple-click anywhere in the line below on this page to select it:
/Library/LaunchAgents/com.vsearch.agent.plist
Right-click or control-click the line and select
Services ▹ Reveal in Finder (or just Reveal)
from the contextual menu.* A folder should open with an item named "com.vsearch.agent.plist" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.
Repeat with each of these lines:
/Library/LaunchDaemons/com.vsearch.daemon.plist
/Library/LaunchDaemons/com.vsearch.helper.plist
/Library/LaunchDaemons/Jack.plist
Restart the computer and empty the Trash. Then delete the following items in the same way:
/Library/Application Support/VSearch
/Library/PrivilegedHelperTools/Jack
/System/Library/Frameworks/VSearch.framework
~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
Some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.
The problem may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it, and if you wish, replace it with the genuine item from mplayerx.org.
This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow.
You may be wondering why you didn't get a warning from Gatekeeper about installing software from an unknown developer, as you should have. The reason is that the Internet criminal behind VSearch has a codesigning certificate issued by Apple, which causes Gatekeeper to give the installer a pass. Apple could revoke the certificate, but as of this writing has not done so, even though it's aware of the problem. This failure of oversight has compromised both Gatekeeper and the Developer ID program. You can't rely on Gatekeeper alone to protect you from harmful software.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. -
I am looking for a (free, ideally) virus scan/check for my MacBook Pro -- any suggestions?
I am looking for a (free, ideally) virus scan/check for my MacBook Pro -- any suggestions?
Mac users often ask whether they should install "anti-virus" software. The answer usually given on ASC is "no." The answer is right, but it may give the wrong impression that there is no threat from what are loosely called "viruses." There is a threat, and you need to educate yourself about it.
1. This is a comment on what you should—and should not—do to protect yourself from malicious software ("malware") that circulates on the Internet and gets onto a computer as an unintended consequence of the user's actions. It does not apply to software, such as keystroke loggers, that may be installed deliberately by an intruder who has hands-on access to the computer, or who has been able to log in to it remotely. That threat is in a different category, and there's no easy way to defend against it.
The comment is long because the issue is complex. The key points are in sections 5, 6, and 10.
OS X now implements three layers of built-in protection specifically against malware, not counting runtime protections such as execute disable, sandboxing, system library randomization, and address space layout randomization that may also guard against other kinds of exploits.
2. All versions of OS X since 10.6.7 have been able to detect known Mac malware in downloaded files, and to block insecure web plugins. This feature is transparent to the user. Internally Apple calls it "XProtect."
The malware recognition database used by XProtect is automatically updated; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders.
The following caveats apply to XProtect:
☞ It can be bypassed by some third-party networking software, such as BitTorrent clients and Java applets.
☞ It only applies to software downloaded from the network. Software installed from a CD or other media is not checked.
As new versions of OS X are released, it's not clear whether Apple will indefinitely continue to maintain the XProtect database of older versions such as 10.6. The security of obsolete system versions may eventually be degraded. Security updates to the code of obsolete systems will stop being released at some point, and that may leave them open to other kinds of attack besides malware.
3. Starting with OS X 10.7.5, there has been a second layer of built-in malware protection, designated "Gatekeeper" by Apple. By default, applications and Installer packages downloaded from the network will only run if they're digitally signed by a developer with a certificate issued by Apple. Software certified in this way hasn't necessarily been tested by Apple, but you can be reasonably sure that it hasn't been modified by anyone other than the developer. His identity is known to Apple, so he could be held legally responsible if he distributed malware. That may not mean much if the developer lives in a country with a weak legal system (see below.)
Gatekeeper doesn't depend on a database of known malware. It has, however, the same limitations as XProtect, and in addition the following:
☞ It can easily be disabled or overridden by the user.
☞ A malware attacker could get control of a code-signing certificate under false pretenses, or could simply ignore the consequences of distributing codesigned malware.
☞ An App Store developer could find a way to bypass Apple's oversight, or the oversight could fail due to human error.
Apple has so far failed to revoke the codesigning certificates of some known abusers, thereby diluting the value of Gatekeeper and the Developer ID program. These failures don't involve App Store products, however.
For the reasons given, App Store products, and—to a lesser extent—other applications recognized by Gatekeeper as signed, are safer than others, but they can't be considered absolutely safe. "Sandboxed" applications may prompt for access to private data, such as your contacts, or for access to the network. Think before granting that access. Sandbox security is based on user input. Never click through any request for authorization without thinking.
4. Starting with OS X 10.8.3, a third layer of protection has been added: a "Malware Removal Tool" (MRT). MRT runs automatically in the background when you update the OS. It checks for, and removes, malware that may have evaded the other protections via a Java exploit (see below.) MRT also runs when you install or update the Apple-supplied Java runtime (but not the Oracle runtime.) Like XProtect, MRT is effective against known threats, but not against unknown ones. It notifies you if it finds malware, but otherwise there's no user interface to MRT.
5. The built-in security features of OS X reduce the risk of malware attack, but they are not, and never will be, complete protection. Malware is a problem of human behavior, and a technological fix is not going to solve it. Trusting software to protect you will only make you more vulnerable.
The best defense is always going to be your own intelligence. With the possible exception of Java exploits, all known malware circulating on the Internet that affects a fully-updated installation of OS X 10.6 or later takes the form of so-called "Trojan horses," which can only have an effect if the victim is duped into running them. The threat therefore amounts to a battle of wits between you and the scam artists. If you're smarter than they think you are, you'll win. That means, in practice, that you always stay within a safe harbor of computing practices. How do you know when you're leaving the safe harbor? Below are some warning signs of danger.
Software from an untrustworthy source
☞ Software of any kind is distributed via BitTorrent, or Usenet, or on a website that also distributes pirated music or movies.
☞ Software with a corporate brand, such as Adobe Flash Player, doesn't come directly from the developer’s website. Do not trust an alert from any website to update Flash, or your browser, or any other software.
☞ Rogue websites such as Softonic and CNET Download distribute free applications that have been packaged in a superfluous "installer."
☞ The software is advertised by means of spam or intrusive web ads. Any ad, on any site, that includes a direct link to a download should be ignored.
Software that is plainly illegal or does something illegal
☞ High-priced commercial software such as Photoshop is "cracked" or "free."
☞ An application helps you to infringe copyright, for instance by circumventing the copy protection on commercial software, or saving streamed media for reuse without permission.
Conditional or unsolicited offers from strangers
☞ A telephone caller or a web page tells you that you have a “virus” and offers to help you remove it. (Some reputable websites did legitimately warn visitors who were infected with the "DNSChanger" malware. That exception to this rule no longer applies.)
☞ A web site offers free content such as video or music, but to use it you must install a “codec,” “plug-in,” "player," "downloader," "extractor," or “certificate” that comes from that same site, or an unknown one.
☞ You win a prize in a contest you never entered.
☞ Someone on a message board such as this one is eager to help you, but only if you download an application of his choosing.
☞ A "FREE WI-FI !!!" network advertises itself in a public place such as an airport, but is not provided by the management.
☞ Anything online that you would expect to pay for is "free."
Unexpected events
☞ A file is downloaded automatically when you visit a web page, with no other action on your part. Delete any such file without opening it.
☞ You open what you think is a document and get an alert that it's "an application downloaded from the Internet." Click Cancel and delete the file. Even if you don't get the alert, you should still delete any file that isn't what you expected it to be.
☞ An application does something you don't expect, such as asking for permission to access your contacts, your location, or the Internet for no obvious reason.
☞ Software is attached to email that you didn't request, even if it comes (or seems to come) from someone you trust.
I don't say that leaving the safe harbor just once will necessarily result in disaster, but making a habit of it will weaken your defenses against malware attack. Any of the above scenarios should, at the very least, make you uncomfortable.
6. Java on the Web (not to be confused with JavaScript, to which it's not related, despite the similarity of the names) is a weak point in the security of any system. Java is, among other things, a platform for running complex applications in a web page, on the client. That was always a bad idea, and Java's developers have proven themselves incapable of implementing it without also creating a portal for malware to enter. Past Java exploits are the closest thing there has ever been to a Windows-style virus affecting OS X. Merely loading a page with malicious Java content could be harmful.
Fortunately, client-side Java on the Web is obsolete and mostly extinct. Only a few outmoded sites still use it. Try to hasten the process of extinction by avoiding those sites, if you have a choice. Forget about playing games or other non-essential uses of Java.
Java is not included in OS X 10.7 and later. Discrete Java installers are distributed by Apple and by Oracle (the developer of Java.) Don't use either one unless you need it. Most people don't. If Java is installed, disable it—not JavaScript—in your browsers.
Regardless of version, experience has shown that Java on the Web can't be trusted. If you must use a Java applet for a task on a specific site, enable Java only for that site in Safari. Never enable Java for a public website that carries third-party advertising. Use it only on well-known, login-protected, secure websites without ads. In Safari 6 or later, you'll see a lock icon in the address bar with the abbreviation "https" when visiting a secure site.
Stay within the safe harbor, and you’ll be as safe from malware as you can practically be. The rest of this comment concerns what you should not do to protect yourself.
7. Never install any commercial "anti-virus" (AV) or "Internet security" products for the Mac, as they are all worse than useless. If you need to be able to detect Windows malware in your files, use one of the free security apps in the Mac App Store—nothing else.
Why shouldn't you use commercial AV products?
☞ To recognize malware, the software depends on a database of known threats, which is always at least a day out of date. This technique is a proven failure, as a major AV software vendor has admitted. Most attacks are "zero-day"—that is, previously unknown. Recognition-based AV does not defend against such attacks, and the enterprise IT industry is coming to the realization that traditional AV software is worthless.
☞ Its design is predicated on the nonexistent threat that malware may be injected at any time, anywhere in the file system. Malware is downloaded from the network; it doesn't materialize from nowhere. In order to meet that nonexistent threat, commercial AV software modifies or duplicates low-level functions of the operating system, which is a waste of resources and a common cause of instability, bugs, and poor performance.
☞ By modifying the operating system, the software may also create weaknesses that could be exploited by malware attackers.
☞ Most importantly, a false sense of security is dangerous.
8. An AV product from the App Store, such as "ClamXav," has the same drawback as the commercial suites of being always out of date, but it does not inject low-level code into the operating system. That doesn't mean it's entirely harmless. It may report email messages that have "phishing" links in the body, or Windows malware in attachments, as infected files, and offer to delete or move them. Doing so will corrupt the Mail database. The messages should be deleted from within the Mail application.
An AV app is not needed, and cannot be relied upon, for protection against OS X malware. It's useful, if at all, only for detecting Windows malware, and even for that use it's not really effective, because new Windows malware is emerging much faster than OS X malware.
Windows malware can't harm you directly (unless, of course, you use Windows.) Just don't pass it on to anyone else. A malicious attachment in email is usually easy to recognize by the name alone. An actual example:
London Terror Moovie.avi [124 spaces] Checked By Norton Antivirus.exe
You don't need software to tell you that's a Windows trojan. Software may be able to tell you which trojan it is, but who cares? In practice, there's no reason to use recognition software unless an organizational policy requires it. Windows malware is so widespread that you should assume it's in everyemail attachment until proven otherwise. Nevertheless, ClamXav or a similar product from the App Store may serve a purpose if it satisfies an ill-informed network administrator who says you must run some kind of AV application. It's free and it won't handicap the system.
The ClamXav developer won't try to "upsell" you to a paid version of the product. Other developers may do that. Don't be upsold. For one thing, you should not pay to protect Windows users from the consequences of their choice of computing platform. For another, a paid upgrade from a free app will probably have all the disadvantages mentioned in section 7.
9. It seems to be a common belief that the built-in Application Firewall acts as a barrier to infection, or prevents malware from functioning. It does neither. It blocks inbound connections to certain network services you're running, such as file sharing. It's disabled by default and you should leave it that way if you're behind a router on a private home or office network. Activate it only when you're on an untrusted network, for instance a public Wi-Fi hotspot, where you don't want to provide services. Disable any services you don't use in the Sharing preference pane. All are disabled by default.
10. As a Mac user, you don't have to live in fear that your computer may be infected every time you install software, read email, or visit a web page. But neither can you assume that you will always be safe from exploitation, no matter what you do. Navigating the Internet is like walking the streets of a big city. It's as safe or as dangerous as you choose to make it. The greatest harm done by security software is precisely its selling point: it makes people feel safe. They may then feel safe enough to take risks from which the software doesn't protect them. Nothing can lessen the need for safe computing practices. -
Is there a virus scan for MacBooks?
I was using "let me watch this" to watch survivor. I fell asleep, and when I woke up, there was an error message on my laptop, telling me I must restart my computer by holding down the power button, because my laptop was frozen. This message was in English, French, and Japanese. I'm afraid it is a virus, I could not even send the details to apple. Is there a affordable, trustworthy virus scan available for MacBooks?
My original post asked about a virus scan, an as you know viruses are self replicated, not downloaded.
That statement reveals a severe lack of understanding of malware, which is highly dangerous. Most malware these days is NOT self-replicating. Most malware comes as trojan horses, which rely on social engineering to trick users into installing them. If you believe viruses are "not downloaded," you are at extreme risk of becoming infected. You would do well to read my Mac Malware Guide.
I never said I was downloading, or installing anything, I was merely watching a video.
Many people have been "just watching videos" and gotten infected with malware as a result. Consider, for example, the RSPlug malware, which has appeared on many less-reputable video sharing sites as a "plug-in" required to view the videos.
Further, there is currently malware out there capable of infecting a Mac with no user interaction needed, through vulnerabilities in outdated versions of Java. (See Flashback using Java vulnerabilities and Flashback infections becoming widespread.) As you indicate that you are using Mac OS X 10.5.8, you are running an outdated version of Java, so if you have Java turned on in your browser, merely visiting the wrong site could infect you.
(Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.) -
Can't find Genieo virus on my Mac, but it shows in anti-virus scan
I don't see Genieo on the browsers or in Finder files, but it still shows up when I run a Sophos Ant-Virus scan. Using Firefox browser, I downloaded new software to save space on my Mac. I uninstalled Firefox and the program that saves space on Mac afterwords, but Genieo keeps showing up on Anti-Virus scan.
I'm slow when it comes to computers so if you give me instructions on how to uninstall it, please tell me what exactly to click on to follow the commands. I have a MacBook Pro 10.6.8. Thanks.1. This is a comment on what you should—and should not—do to protect yourself from malicious software ("malware") that circulates on the Internet and gets onto a computer as an unintended consequence of the user's actions. It does not apply to software, such as keystroke loggers, that may be installed deliberately by an intruder who has hands-on access to the computer, or who has been able to log in to it remotely. That threat is in a different category, and there's no easy way to defend against it.
If you find this comment too long or too technical, read only sections 5, 6, and 10.
OS X now implements three layers of built-in protection specifically against malware, not counting runtime protections such as execute disable, sandboxing, system library randomization, and address space layout randomization that may also guard against other kinds of exploits.
2. All versions of OS X since 10.6.7 have been able to detect known Mac malware in downloaded files, and to block insecure web plugins. This feature is transparent to the user. Internally Apple calls it "XProtect."
The malware recognition database used by XProtect is automatically updated; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders.
The following caveats apply to XProtect:
☞ It can be bypassed by some third-party networking software, such as BitTorrent clients and Java applets.
☞ It only applies to software downloaded from the network. Software installed from a CD or other media is not checked.
As new versions of OS X are released, it's not clear whether Apple will indefinitely continue to maintain the XProtect database of older versions such as 10.6. The security of obsolete system versions may eventually be degraded. Security updates to the code of obsolete systems will stop being released at some point, and that may leave them open to other kinds of attack besides malware.
3. Starting with OS X 10.7.5, there has been a second layer of built-in malware protection, designated "Gatekeeper" by Apple. By default, applications and Installer packages downloaded from the network will only run if they're digitally signed by a developer with a certificate issued by Apple. Software certified in this way hasn't necessarily been tested by Apple, but you can be reasonably sure that it hasn't been modified by anyone other than the developer. His identity is known to Apple, so he could be held legally responsible if he distributed malware. That may not mean much if the developer lives in a country with a weak legal system (see below.)
Gatekeeper doesn't depend on a database of known malware. It has, however, the same limitations as XProtect, and in addition the following:
☞ It can easily be disabled or overridden by the user.
☞ A malware attacker could get control of a code-signing certificate under false pretenses, or could simply ignore the consequences of distributing codesigned malware.
☞ An App Store developer could find a way to bypass Apple's oversight, or the oversight could fail due to human error.
Apple has so far failed to revoke the codesigning certificates of some known abusers, thereby diluting the value of Gatekeeper and the Developer ID program. These failures don't involve App Store products, however.
For the reasons given, App Store products, and—to a lesser extent—other applications recognized by Gatekeeper as signed, are safer than others, but they can't be considered absolutely safe. "Sandboxed" applications may prompt for access to private data, such as your contacts, or for access to the network. Think before granting that access. Sandbox security is based on user input. Never click through any request for authorization without thinking.
4. Starting with OS X 10.8.3, a third layer of protection has been added: a "Malware Removal Tool" (MRT). MRT runs automatically in the background when you update the OS. It checks for, and removes, malware that may have evaded the other protections via a Java exploit (see below.) MRT also runs when you install or update the Apple-supplied Java runtime (but not the Oracle runtime.) Like XProtect, MRT is effective against known threats, but not against unknown ones. It notifies you if it finds malware, but otherwise there's no user interface to MRT.
5. The built-in security features of OS X reduce the risk of malware attack, but they are not, and never will be, complete protection. Malware is a problem of human behavior, and a technological fix is not going to solve it. Trusting software to protect you will only make you more vulnerable.
The best defense is always going to be your own intelligence. With the possible exception of Java exploits, all known malware circulating on the Internet that affects a fully-updated installation of OS X 10.6 or later takes the form of so-called "Trojan horses," which can only have an effect if the victim is duped into running them. The threat therefore amounts to a battle of wits between you and the scam artists. If you're smarter than they think you are, you'll win. That means, in practice, that you always stay within a safe harbor of computing practices. How do you know when you're leaving the safe harbor? Below are some warning signs of danger.
Software from an untrustworthy source
☞ Software of any kind is distributed via BitTorrent, or Usenet, or on a website that also distributes pirated music or movies.
☞ Software with a corporate brand, such as Adobe Flash Player, doesn't come directly from the developer’s website. Do not trust an alert from any website to update Flash, or your browser, or any other software.
☞ Rogue websites such as Softonic and CNET Download distribute free applications that have been packaged in a superfluous "installer."
☞ The software is advertised by means of spam or intrusive web ads. Any ad, on any site, that includes a direct link to a download should be ignored.
Software that is plainly illegal or does something illegal
☞ High-priced commercial software such as Photoshop is "cracked" or "free."
☞ An application helps you to infringe copyright, for instance by circumventing the copy protection on commercial software, or saving streamed media for reuse without permission.
Conditional or unsolicited offers from strangers
☞ A telephone caller or a web page tells you that you have a “virus” and offers to help you remove it. (Some reputable websites did legitimately warn visitors who were infected with the "DNSChanger" malware. That exception to this rule no longer applies.)
☞ A web site offers free content such as video or music, but to use it you must install a “codec,” “plug-in,” "player," "downloader," "extractor," or “certificate” that comes from that same site, or an unknown one.
☞ You win a prize in a contest you never entered.
☞ Someone on a message board such as this one is eager to help you, but only if you download an application of his choosing.
☞ A "FREE WI-FI !!!" network advertises itself in a public place such as an airport, but is not provided by the management.
☞ Anything online that you would expect to pay for is "free."
Unexpected events
☞ A file is downloaded automatically when you visit a web page, with no other action on your part. Delete any such file without opening it.
☞ You open what you think is a document and get an alert that it's "an application downloaded from the Internet." Click Cancel and delete the file. Even if you don't get the alert, you should still delete any file that isn't what you expected it to be.
☞ An application does something you don't expect, such as asking for permission to access your contacts, your location, or the Internet for no obvious reason.
☞ Software is attached to email that you didn't request, even if it comes (or seems to come) from someone you trust.
I don't say that leaving the safe harbor just once will necessarily result in disaster, but making a habit of it will weaken your defenses against malware attack. Any of the above scenarios should, at the very least, make you uncomfortable.
6. Java on the Web (not to be confused with JavaScript, to which it's not related, despite the similarity of the names) is a weak point in the security of any system. Java is, among other things, a platform for running complex applications in a web page, on the client. That was always a bad idea, and Java's developers have proven themselves incapable of implementing it without also creating a portal for malware to enter. Past Java exploits are the closest thing there has ever been to a Windows-style virus affecting OS X. Merely loading a page with malicious Java content could be harmful.
Fortunately, client-side Java on the Web is obsolete and mostly extinct. Only a few outmoded sites still use it. Try to hasten the process of extinction by avoiding those sites, if you have a choice. Forget about playing games or other non-essential uses of Java.
Java is not included in OS X 10.7 and later. Discrete Java installers are distributed by Apple and by Oracle (the developer of Java.) Don't use either one unless you need it. Most people don't. If Java is installed, disable it—not JavaScript—in your browsers.
Regardless of version, experience has shown that Java on the Web can't be trusted. If you must use a Java applet for a task on a specific site, enable Java only for that site in Safari. Never enable Java for a public website that carries third-party advertising. Use it only on well-known, login-protected, secure websites without ads. In Safari 6 or later, you'll see a lock icon in the address bar with the abbreviation "https" when visiting a secure site.
Stay within the safe harbor, and you’ll be as safe from malware as you can practically be. The rest of this comment concerns what you should not do to protect yourself.
7. Never install any commercial "anti-virus" (AV) or "Internet security" products for the Mac, as they are all worse than useless. If you need to be able to detect Windows malware in your files, use one of the free security apps in the Mac App Store—nothing else.
Why shouldn't you use commercial AV products?
☞ To recognize malware, the software depends on a database of known threats, which is always at least a day out of date. This technique is a proven failure, as a major AV software vendor has admitted. Most attacks are "zero-day"—that is, previously unknown. Recognition-based AV does not defend against such attacks, and the enterprise IT industry is coming to the realization that traditional AV software is worthless.
☞ Its design is predicated on the nonexistent threat that malware may be injected at any time, anywhere in the file system. Malware is downloaded from the network; it doesn't materialize from nowhere. In order to meet that nonexistent threat, commercial AV software modifies or duplicates low-level functions of the operating system, which is a waste of resources and a common cause of instability, bugs, and poor performance.
☞ By modifying the operating system, the software may also create weaknesses that could be exploited by malware attackers.
☞ Most importantly, a false sense of security is dangerous.
8. An AV product from the App Store, such as "ClamXav," has the same drawback as the commercial suites of being always out of date, but it does not inject low-level code into the operating system. That doesn't mean it's entirely harmless. It may report email messages that have "phishing" links in the body, or Windows malware in attachments, as infected files, and offer to delete or move them. Doing so will corrupt the Mail database. The messages should be deleted from within the Mail application.
An AV app is not needed, and cannot be relied upon, for protection against OS X malware. It's useful, if at all, only for detecting Windows malware, and even for that use it's not really effective, because new Windows malware is emerging much faster than OS X malware.
Windows malware can't harm you directly (unless, of course, you use Windows.) Just don't pass it on to anyone else. A malicious attachment in email is usually easy to recognize by the name alone. An actual example:
London Terror Moovie.avi [124 spaces] Checked By Norton Antivirus.exe
You don't need software to tell you that's a Windows trojan. Software may be able to tell you which trojan it is, but who cares? In practice, there's no reason to use recognition software unless an organizational policy requires it. Windows malware is so widespread that you should assume it's in every email attachment until proven otherwise. Nevertheless, ClamXav or a similar product from the App Store may serve a purpose if it satisfies an ill-informed network administrator who says you must run some kind of AV application. It's free and it won't handicap the system.
The ClamXav developer won't try to "upsell" you to a paid version of the product. Other developers may do that. Don't be upsold. For one thing, you should not pay to protect Windows users from the consequences of their choice of computing platform. For another, a paid upgrade from a free app will probably have all the disadvantages mentioned in section 7.
9. It seems to be a common belief that the built-in Application Firewall acts as a barrier to infection, or prevents malware from functioning. It does neither. It blocks inbound connections to certain network services you're running, such as file sharing. It's disabled by default and you should leave it that way if you're behind a router on a private home or office network. Activate it only when you're on an untrusted network, for instance a public Wi-Fi hotspot, where you don't want to provide services. Disable any services you don't use in the Sharing preference pane. All are disabled by default.
10. As a Mac user, you don't have to live in fear that your computer may be infected every time you install software, read email, or visit a web page. But neither can you assume that you will always be safe from exploitation, no matter what you do. Navigating the Internet is like walking the streets of a big city. It's as safe or as dangerous as you choose to make it. The greatest harm done by security software is precisely its selling point: it makes people feel safe. They may then feel safe enough to take risks from which the software doesn't protect them. Nothing can lessen the need for safe computing practices. -
Automating McAfee Virus Scan Exclusions
So i wanted to share with the community a function I wrote to assist in the automating of virus scan exclusions. In Windows 2008 R2, we were able to import a reg file with the exclusion so it wasn't a big deal. However, we are using 2012 R1/R2
with our Lync 2013 deployment and this option is no longer available to me. The team in charge of the central AV management servers (whatever it is called) are not offering to assist in loading a policy in their management server for our Lync deployment.
Inserting a ton of exclusions manually for over hundred servers (that is just a single customer) isn't something I would be willing to do manually, not to mention things would get missed. I made this relatively generic so it should work (I think)
for other people. It sends key strokes to the OS to accomplish as I couldn't find another way. I haven't found anyone who has a solution so I wrote this one. I could be much much more involved in identifying which roles or what the server
is (SQL, DC, SharePoint, etc), but I am not sure I want to spend that kind of time. Maybe in the future.
Note: My "One Access Scanner" is listed fourth in the Virus Scan Console. If yours is not, this will need some tweaking. This isn't really an appropriate solution (I just hack this stuff together), but it works.
Things you need to know.
Single file or single directory exclusions go into the array $Procs
File Types go into $FileTypes
Any directory that you want the sub directory to be excluded as well goes into $ProcIncludingSubs
Function SetAVExclusions ()
$ErrorActionPreference = "silentlycontinue"
Function GetActiveWindows ()
# sample script to query winapi GetForegroundWindow and GetWindowText
Add-Type @"
// **** every time you make a change to this class, you have to restart powershell session or change class name to new name ****
using System.Runtime.InteropServices;
using System.Text;
public class Win51
[DllImport("user32.dll", SetLastError = true)]
static extern System.IntPtr FindWindow(string className, string windowName);
[DllImport("user32.dll", SetLastError = true)]
static extern System.IntPtr FindWindowEx(System.IntPtr parentHandle, System.IntPtr childAfter, string className, string windowTitle);
[DllImport("user32.dll")]
static extern System.IntPtr GetForegroundWindow();
[DllImport("user32.dll")]
static extern int GetWindowText(System.IntPtr hWnd, System.Text.StringBuilder text, int count);
[DllImport("user32.dll")]
static extern System.IntPtr GetWindow(System.IntPtr hWnd, uint uCmd);
[DllImport("user32.dll")]
static extern bool SetForegroundWindow(System.IntPtr hWnd);
enum UCmd
GW_CHILD = 5,
GW_ENABLEDPOPUP = 6,
GW_HWNDFIRST = 0,
GW_HWNDLAST = 1,
GW_HWNDNEXT = 2,
GW_HWNDPREV = 3,
GW_OWNER = 4
public string getForegroundWindowTitle()
const int nChars = 256;
System.Text.StringBuilder Buff = new System.Text.StringBuilder(nChars);
System.IntPtr handle = getForegroundWindow();
if (GetWindowText(handle, Buff, nChars) > 0)
return Buff.ToString();
return null;
// returns null / 0 if find window fails
public System.IntPtr findWindow(System.IntPtr hWndParent,System.IntPtr hWndChildAfter, string lpszClass, string lpszWindow)
System.IntPtr handle = FindWindowEx(hWndParent,hWndChildAfter, lpszClass, lpszWindow);
// System.IntPtr handle = FindWindow(lpszClass, lpszWindow);
return handle;
public System.IntPtr getForegroundWindow()
System.IntPtr handle = GetForegroundWindow();
return handle;
public bool setForegroundWindow(System.IntPtr hWnd)
return setForegroundWindow(hWnd);
public System.IntPtr getWindow(System.IntPtr hWnd, uint uCmd)
return GetWindow(hWnd,uCmd);
$winObj = New-Object Win51
$text = $winObj.getForegroundWindowTitle();
return $text
} #End Function GetActiveWindows
$Procs = @("{%}Systemroot{%}\system32\GroupPolicy\registry.pol",` # Corporate Defaults
"{%}allusersprofile{%}\NTUser.pol",` #KB822158
"{%}windir{%}\SoftwareDistribution\Datastore\Logs\Edb*.log",`
"{%}windir{%}\SoftwareDistribution\Datastore\Logs\Edb.chk",` #KB822158
"{%}windir{%}\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs",`
"{%}windir{%}\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs",`
"{%}windir{%}\SoftwareDistribution\Datastore\Logs\Res1.log",`
"{%}windir{%}\SoftwareDistribution\Datastore\Logs\Res2.log",`
"{%}windir{%}\SoftwareDistribution\Datastore\Logs\Tmp.edb ",` #KB822158
"{%}windir{%}\SoftwareDistribution\Datastore\datastore.edb",` #KB822158
"{%}windir{%}\security\*.chk",`
"{%}windir{%}\security\*.edb",`
"{%}windir{%}\security\*.log",`
"{%}windir{%}\security\*.sdb",`
"{%}windir{%}\security\database\Security.sdb",`
"C:\quarantine",`
"{%}systemroot{%}\System32\GroupPolicy\Machine\Registry.pol", ` #KB822158
"{%}systemroot{%}\System32\GroupPolicy\User\Registry.pol", ` #KB822158
"{%}windir{%}\security\database\*.edb",` #KB822158
"{%}windir{%}\security\database\*.sdb",` #KB822158
"{%}windir{%}\security\database\*.log",` #KB822158
"{%}windir{%}\security\database\*.chk",` #KB822158
"{%}windir{%}\security\database\*.jrs",` #KB822158
"{%}windir{%}\SoftwareDistribution\Datastore\Logs\Edb*.jrs",` #KB822158
"{%}windir{%}\Ntds\Ntds.dit",` #KB822158 - AD DCs
"{%}windir{%}\Ntds\Ntds.pat",` #KB822158 - AD DCs
"{%}windir{%}\Ntds\ED*.log",` #KB822158 - AD DCs
"{%}windir{%}\Ntds\Res*.log",` #KB822158 - AD DCs
"{%}windir{%}\Ntds\Edb*.jrs",` #KB822158 - AD DCs
"e:\Ntds\Ntds.dit",` #KB822158 - AD DCs
"e:\Ntds\Ntds.pat",` #KB822158 - AD DCs
"e:\Ntds\ED*.log",` #KB822158 - AD DCs
"e:\Ntds\Res*.log",` #KB822158 - AD DCs
"e:\Ntds\Edb*.jrs",` #KB822158 - AD DCs
"{%}windir{%}\Ntfrs\jet\sys\edb.chk",` #KB822158 - AD DCs
"{%}windir{%}\Ntfrs\jet\ntfrs.jdb",` #KB822158 - AD DCs
"{%}windir{%}\Ntfrs\jet\log\*.log",` #KB822158 - AD DCs
"{%}systemroot{%}\Sysvol\Staging areas\Nntfrs_cmp*.*",` #KB822158 - AD DCs
"e:\Sysvol\Staging areas\Nntfrs_cmp*.*",` #KB822158 - AD DCs
"{%}systemroot{%}\System32\Dns\*.log",` #KB822158 - AD DCs
"{%}systemroot{%}\System32\Dns\*.dns",` #KB822158 - AD DCs
"ABServer.exe", ` # Begin Lync 2013 Exclusions
"AcpMcuSvc.exe", `
"ASMCUSvc.exe", `
"AVMCUSvc.exe", `
"ChannelService.exe", `
"ClsAgent.exe", `
"ComplianceService.exe", `
"DataMCUSvc.exe", `
"DataProxy.exe", `
"FileTransferAgent.exe", `
"IMMCUSvc.exe", `
"LysSvc.exe", `
"MasterReplicatorAgent.exe", `
"MediaRelaySvc.exe", `
"MediationServerSvc.exe", `
"MRASSvc.exe", `
"OcsAppServerHost.exe", `
"ReplicaReplicatorAgent.exe", `
"ReplicationApp.exe", `
"RtcHost.exe", `
"RTCSrv.exe", `
"XmppProxy.exe", `
"XmppTGW.exe", `
"Fabric.exe", `
"FabricDCA.exe", `
"FabricHost.exe", `
"{%}ProgramFiles{%}\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Binn\SQLServr.exe", `
"{%}ProgramFiles{%}\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\ReportServer\Bin\ReportingServicesService.exe", `
"{%}ProgramFiles{%}\Microsoft SQL Server\MSAS11.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe", `
"{%}ProgramFiles{%}\Microsoft SQL Server\MSSQL11.LYNCLOCAL\MSMQL\Binn\SQLServr.exe", `
"{%}ProgramFiles{%}\Microsoft SQL Server\MSSQL11.RTCLOCAL\MSMQL\Binn\SQLServr.exe", `
"{%}systemroot{%}\System32\LogFiles", `
"{%}systemroot{%}\SysWow64\LogFiles", `
"{%}programfiles{%}\Microsoft Lync Server 2013", `
"{%}programfiles{%}\commonfiles\Microsoft Lync Server 2013", `
"{%}ProgramFiles{%}\Microsoft Lync Server 2013\Web Components\Mcx\Ext", `
"{%}ProgramFiles{%}\Microsoft Lync Server 2013\Web Components\Mcx\Int", `
"{%}ProgramFiles{%}\Microsoft Lync Server 2013\Web Components\Ucwa\Int", `
"{%}ProgramFiles{%}\Microsoft Lync Server 2013\Web Components\Ucwa\Ext", `
"{%}systemroot{%}\Windows\Microsoft.NET\Framework64\v4.0.30319\Config", `
"{%}ProgramFiles{%}\Microsoft System Center 2012 R2\Server\Health Service State",` #Begin SCOM 2012 R2 Exclusions
"{%}ProgramFiles{%}\System Center Operations Manager\Gateway\Health Service State",`
"{%}ProgramFiles{%}\Microsoft Monitoring Agent\Agent\Health Service State",`
"CShost.exe","Microsoft.Mom.Sdk.ServiceHost.exe","HealthService.exe","MonitoringHost.exe",`
"e:\WAC_Server_Cache","e:\WAC_Server_Logs","e:\WAC_Server_Rendering_Cache"` # WC Server storage locations
# This section will exlude file types
$FileTypes = @("MDF","LDF")
# This section will include sub folders in the exclusion. Path must end in a \
$ProcIncludingSubs = @("{%}programfiles{%}\Microsoft Lync Server 2013\", `
"{%}systemroot{%}\RtcReplicaRoot\", `
"{%}SystemDrive{%}\RtcReplicaRoot\", `
"E:\RtcReplicaRoot\xds-replica\", `
"{%}systemroot{%}\assembly\", `
"{%}systemroot{%}\ServiceProfiles\", `
"{%}systemroot{%}\Windows\Microsoft.NET\", `
"{%}systemroot{%}\system32\inetsrv\", `
"{%}systemroot{%}\system32\LogFiles\", `
"{%}systemroot{%}\SysWOW64\inetsrv\", `
"{%}systemroot{%}\SysWOW64\LogFiles\", `
"{%}systemroot{%}\System32\Dns\Boot\",` #KB822158 - AD DCs
"{%}programfiles{%}\Common Files\Microsoft Lync Server 2013\Watcher Node\" `
$TotalExclusionsinFunction = $Procs.Length + $FileTypes.Length + $ProcIncludingSubs.Length
$TotalExclusionsinRegistry = ((Get-Item -Path 'HKLM:\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default\').Property -match "ExcludedItem_").count
If ($TotalExclusionsinFunction -eq $TotalExclusionsinRegistry)
Write-Host ""
Write-Host "`tChecking Anti-Virus Exclusions in the Registry"
Write-Host ""
Write-Host "`t`tStatus : " -ForegroundColor White -NoNewline
start-sleep -m 500
Write-Host "Count Matches" -ForegroundColor Yellow
Write-Host ""
Write-Host "`t`t`tThe number of exclusions in this script match the number of exclusions in the registry" -ForegroundColor Yellow
Start-Sleep 5
return $true
[void] [System.Reflection.Assembly]::LoadWithPartialName("'Microsoft.VisualBasic")
[void] [System.Reflection.Assembly]::LoadWithPartialName("'System.Windows.Forms")
Write-Host "`tDisabling Artemis (Hueristic Scanning)" -ForegroundColor Cyan
$VConsole = Get-Process -Name mcconsol -ErrorAction SilentlyContinue
$VConsole1 = Get-Process -Name shcfg32 -ErrorAction SilentlyContinue
If (($VConsole -ne $null) -or ($VConsole1 -ne $null))
If ($VConsole -ne $null)
$VConsole.CloseMainWindow() | Out-Null
If ($VConsole1 -ne $null)
Stop-Process -Processname shcfg32 -ErrorVariable "AOS" -Force
If ($AOS)
Write-Host "`tForce Close Failed - Taking Extrodinary Actions (~20 Secs)" -ForegroundColor Yellow
If ($ActiveApp -eq "On-Access Scan Properties")
[System.Windows.Forms.SendKeys]::SendWait("{ESC}{ESC}{ESC}{ESC}{ESC}")
$ActiveApp = GetActiveWindows
$Count = 0
Write-Host "`t`t`t[" -ForegroundColor Yellow -NoNewline
while (($ActiveApp -ne "On-Access Scan Properties") -and ($Count -lt 10))
[Microsoft.VisualBasic.Interaction]::AppActivate("On-Access Scan Properties")
start-sleep 1
[System.Windows.Forms.SendKeys]::SendWait("{ESC}{ESC}{ESC}{ESC}{ESC}")
Start-Sleep 1
$Count++
$ActiveApp = GetActiveWindows
Write-Host "*" -ForegroundColor Green -NoNewline
Write-Host "]" -ForegroundColor Yellow
$VConsole1 = Get-Process -Name shcfg32 -ErrorAction SilentlyContinue
If ($VConsole1 -ne $null)
Write-Host "`t`tIssue Closing the App"
Pause
Else
start-sleep -m 500
& 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHCFG32.EXE'
Write-Host "`t`tClosing all McAfee Windows"
start-sleep -m 500
& 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHCFG32.EXE'
Else
& 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHCFG32.EXE'
Start-Sleep 2
# Setting Hueristic Settings to disabled
Write-Host "`t`tGrabbing focus of window [On-Access Scan Properties]"
[Microsoft.VisualBasic.Interaction]::AppActivate("On-Access Scan Properties")
start-sleep 1
$ActiveApp = GetActiveWindows
Write-Host "`t`tCurrent Focus is $ActiveApp"
If ($ActiveApp -ne "On-Access Scan Properties")
Write-Host "`t`tUnable to get Focus On-Access Scan Properties"
$Count = 0
start-sleep -m 300
while (($ActiveApp -ne "On-Access Scan Properties") -and ($Count -lt 10))
$Count++
Write-Host "`t`t`t`tTrying again: $Count of 10 times"
[Microsoft.VisualBasic.Interaction]::AppActivate("On-Access Scan Properties")
start-sleep -m 750
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "On-Access Scan Properties")
Write-Host "`t`tUnable to grab focus of [On-Access Scan Properties]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
$KeyboardArray1 = "%S","{UP}","{UP}","{UP}","{UP}","{UP}","{UP}","{TAB}","{TAB}","{TAB}","{ENTER}"
ForEach ($z in $KeyboardArray1)
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "On-Access Scan Properties")
Write-Host "`t`tUnable to keep focus on [On-Access Scan Properties]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
[System.Windows.Forms.SendKeys]::SendWait($z)
start-sleep -m 300
start-sleep 2
# Start Exclusions
Write-Host "`tStarting VirusScan Exclusions" -ForegroundColor Cyan
$VConsole = Get-Process -Name mcconsol -ErrorAction SilentlyContinue
$VConsole1 = Get-Process -Name shcfg32 -ErrorAction SilentlyContinue
If (($VConsole -ne $null) -or ($VConsole1 -ne $null))
If ($VConsole -ne $null)
$VConsole.CloseMainWindow() | Out-Null
If ($VConsole1 -ne $null)
Stop-Process -Processname shcfg32 -Force
Write-Host "`t`tClosing all McAfee Windows"
start-sleep -m 500
& 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHCFG32.EXE'
Else
& 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHCFG32.EXE'
Start-Sleep 2
# Removing all On Access Scanner Exclusions
Write-Host "`t`tGrabbing focus of window [On-Access Scan Properties]"
[Microsoft.VisualBasic.Interaction]::AppActivate("On-Access Scan Properties")
start-sleep 1
$ActiveApp = GetActiveWindows
Write-Host "`t`tCurrent Focus is $ActiveApp"
If ($ActiveApp -ne "On-Access Scan Properties")
Write-Host "`t`tUnable to get Focus On-Access Scan Properties"
$Count = 0
start-sleep -m 300
while (($ActiveApp -ne "On-Access Scan Properties") -and ($Count -lt 10))
$Count++
Write-Host "`t`t`t`tTrying again: $Count of 10 times"
[Microsoft.VisualBasic.Interaction]::AppActivate("On-Access Scan Properties")
start-sleep -m 750
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "On-Access Scan Properties")
Write-Host "`t`tUnable to grab focus of [On-Access Scan Properties]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
$KeyboardArray1 = "%S","{TAB}","{DOWN}","+{TAB}","+{TAB}","+{TAB}",,"+{TAB}","{RIGHT}","+{TAB}","+{TAB}","+{TAB}",,"+{TAB}","{RIGHT}","%E"
#[System.Windows.Forms.SendKeys]::SendWait("{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{DOWN}{TAB}{TAB}{TAB}{RIGHT}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{RIGHT}%E")
ForEach ($z in $KeyboardArray1)
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "On-Access Scan Properties")
Write-Host "`t`tUnable to keep focus on [On-Access Scan Properties]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
[System.Windows.Forms.SendKeys]::SendWait($z)
start-sleep -m 300
start-sleep 2
# Removing exclusions 150 times.
Write-Host "`t`tRemoving existing virus exlcusions (up to 150)"
[Microsoft.VisualBasic.Interaction]::AppActivate("Set Exclusions")
start-sleep 5
$ActiveApp = GetActiveWindows
Write-Host "`t`tCurrent Focus is $ActiveApp"
If ($ActiveApp -ne "Set Exclusions")
Write-Host "`t`tUnable to get Focus on Set Exclusions"
$Count = 0
start-sleep -m 300
while (($ActiveApp -ne "Set Exclusions") -and ($Count -lt 10))
$Count++
Write-Host "`t`t`t`tTrying again: $Count of 10 times"
[Microsoft.VisualBasic.Interaction]::AppActivate("Set Exclusions")
start-sleep -m 750
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "Set Exclusions")
Write-Host "`t`tUnable to grab focus of [Set Exclusions]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
For ($i=1;$i -lt 150; $i++)
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "Set Exclusions")
Write-Host "`t`tUnable to keep focus on [Set Exclusions]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
[System.Windows.Forms.SendKeys]::SendWait("%R")
start-sleep 1
# Processing the different Directories and process
ForEach ($y in $ProcIncludingSubs)
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "Set Exclusions")
Write-Host "`t`tUnable to keep focus on [Set Exclusions]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
[System.Windows.Forms.SendKeys]::SendWait("%A{TAB}$y{TAB}{ADD}{ENTER}")
Start-Sleep -m 200
ForEach ($y in $Procs)
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "Set Exclusions")
Write-Host "`t`tUnable to keep focus on [Set Exclusions]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
[System.Windows.Forms.SendKeys]::SendWait("%A{TAB}$y{ENTER}")
Start-Sleep -m 200
ForEach ($y in $FileTypes)
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "Set Exclusions")
Write-Host "`t`tUnable to keep focus on [Set Exclusions]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
[System.Windows.Forms.SendKeys]::SendWait("%A%F{TAB}$y{ENTER}")
Start-Sleep -m 200
[System.Windows.Forms.SendKeys]::SendWait("{ENTER}{TAB}{TAB}{TAB}{ENTER}")
start-sleep 1
Stop-Process -Processname shcfg32 -Force | Out-Null
$TotalExclusionsinRegistry = ((Get-Item -Path 'HKLM:\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default\').Property -match "ExcludedItem_").count
If ($TotalExclusionsinRegistry -ne $TotalExclusionsinFunction)
Write-Host "`t`tUpdate appears to have failed" -ForegroundColor Yellow
Start-Sleep 1
Return $False
Return $True
} #End FunctionSo i wanted to share with the community a function I wrote to assist in the automating of virus scan exclusions. In Windows 2008 R2, we were able to import a reg file with the exclusion so it wasn't a big deal. However, we are using 2012 R1/R2
with our Lync 2013 deployment and this option is no longer available to me. The team in charge of the central AV management servers (whatever it is called) are not offering to assist in loading a policy in their management server for our Lync deployment.
Inserting a ton of exclusions manually for over hundred servers (that is just a single customer) isn't something I would be willing to do manually, not to mention things would get missed. I made this relatively generic so it should work (I think)
for other people. It sends key strokes to the OS to accomplish as I couldn't find another way. I haven't found anyone who has a solution so I wrote this one. I could be much much more involved in identifying which roles or what the server
is (SQL, DC, SharePoint, etc), but I am not sure I want to spend that kind of time. Maybe in the future.
Note: My "One Access Scanner" is listed fourth in the Virus Scan Console. If yours is not, this will need some tweaking. This isn't really an appropriate solution (I just hack this stuff together), but it works.
Things you need to know.
Single file or single directory exclusions go into the array $Procs
File Types go into $FileTypes
Any directory that you want the sub directory to be excluded as well goes into $ProcIncludingSubs
Function SetAVExclusions ()
$ErrorActionPreference = "silentlycontinue"
Function GetActiveWindows ()
# sample script to query winapi GetForegroundWindow and GetWindowText
Add-Type @"
// **** every time you make a change to this class, you have to restart powershell session or change class name to new name ****
using System.Runtime.InteropServices;
using System.Text;
public class Win51
[DllImport("user32.dll", SetLastError = true)]
static extern System.IntPtr FindWindow(string className, string windowName);
[DllImport("user32.dll", SetLastError = true)]
static extern System.IntPtr FindWindowEx(System.IntPtr parentHandle, System.IntPtr childAfter, string className, string windowTitle);
[DllImport("user32.dll")]
static extern System.IntPtr GetForegroundWindow();
[DllImport("user32.dll")]
static extern int GetWindowText(System.IntPtr hWnd, System.Text.StringBuilder text, int count);
[DllImport("user32.dll")]
static extern System.IntPtr GetWindow(System.IntPtr hWnd, uint uCmd);
[DllImport("user32.dll")]
static extern bool SetForegroundWindow(System.IntPtr hWnd);
enum UCmd
GW_CHILD = 5,
GW_ENABLEDPOPUP = 6,
GW_HWNDFIRST = 0,
GW_HWNDLAST = 1,
GW_HWNDNEXT = 2,
GW_HWNDPREV = 3,
GW_OWNER = 4
public string getForegroundWindowTitle()
const int nChars = 256;
System.Text.StringBuilder Buff = new System.Text.StringBuilder(nChars);
System.IntPtr handle = getForegroundWindow();
if (GetWindowText(handle, Buff, nChars) > 0)
return Buff.ToString();
return null;
// returns null / 0 if find window fails
public System.IntPtr findWindow(System.IntPtr hWndParent,System.IntPtr hWndChildAfter, string lpszClass, string lpszWindow)
System.IntPtr handle = FindWindowEx(hWndParent,hWndChildAfter, lpszClass, lpszWindow);
// System.IntPtr handle = FindWindow(lpszClass, lpszWindow);
return handle;
public System.IntPtr getForegroundWindow()
System.IntPtr handle = GetForegroundWindow();
return handle;
public bool setForegroundWindow(System.IntPtr hWnd)
return setForegroundWindow(hWnd);
public System.IntPtr getWindow(System.IntPtr hWnd, uint uCmd)
return GetWindow(hWnd,uCmd);
$winObj = New-Object Win51
$text = $winObj.getForegroundWindowTitle();
return $text
} #End Function GetActiveWindows
$Procs = @("{%}Systemroot{%}\system32\GroupPolicy\registry.pol",` # Corporate Defaults
"{%}allusersprofile{%}\NTUser.pol",` #KB822158
"{%}windir{%}\SoftwareDistribution\Datastore\Logs\Edb*.log",`
"{%}windir{%}\SoftwareDistribution\Datastore\Logs\Edb.chk",` #KB822158
"{%}windir{%}\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs",`
"{%}windir{%}\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs",`
"{%}windir{%}\SoftwareDistribution\Datastore\Logs\Res1.log",`
"{%}windir{%}\SoftwareDistribution\Datastore\Logs\Res2.log",`
"{%}windir{%}\SoftwareDistribution\Datastore\Logs\Tmp.edb ",` #KB822158
"{%}windir{%}\SoftwareDistribution\Datastore\datastore.edb",` #KB822158
"{%}windir{%}\security\*.chk",`
"{%}windir{%}\security\*.edb",`
"{%}windir{%}\security\*.log",`
"{%}windir{%}\security\*.sdb",`
"{%}windir{%}\security\database\Security.sdb",`
"C:\quarantine",`
"{%}systemroot{%}\System32\GroupPolicy\Machine\Registry.pol", ` #KB822158
"{%}systemroot{%}\System32\GroupPolicy\User\Registry.pol", ` #KB822158
"{%}windir{%}\security\database\*.edb",` #KB822158
"{%}windir{%}\security\database\*.sdb",` #KB822158
"{%}windir{%}\security\database\*.log",` #KB822158
"{%}windir{%}\security\database\*.chk",` #KB822158
"{%}windir{%}\security\database\*.jrs",` #KB822158
"{%}windir{%}\SoftwareDistribution\Datastore\Logs\Edb*.jrs",` #KB822158
"{%}windir{%}\Ntds\Ntds.dit",` #KB822158 - AD DCs
"{%}windir{%}\Ntds\Ntds.pat",` #KB822158 - AD DCs
"{%}windir{%}\Ntds\ED*.log",` #KB822158 - AD DCs
"{%}windir{%}\Ntds\Res*.log",` #KB822158 - AD DCs
"{%}windir{%}\Ntds\Edb*.jrs",` #KB822158 - AD DCs
"e:\Ntds\Ntds.dit",` #KB822158 - AD DCs
"e:\Ntds\Ntds.pat",` #KB822158 - AD DCs
"e:\Ntds\ED*.log",` #KB822158 - AD DCs
"e:\Ntds\Res*.log",` #KB822158 - AD DCs
"e:\Ntds\Edb*.jrs",` #KB822158 - AD DCs
"{%}windir{%}\Ntfrs\jet\sys\edb.chk",` #KB822158 - AD DCs
"{%}windir{%}\Ntfrs\jet\ntfrs.jdb",` #KB822158 - AD DCs
"{%}windir{%}\Ntfrs\jet\log\*.log",` #KB822158 - AD DCs
"{%}systemroot{%}\Sysvol\Staging areas\Nntfrs_cmp*.*",` #KB822158 - AD DCs
"e:\Sysvol\Staging areas\Nntfrs_cmp*.*",` #KB822158 - AD DCs
"{%}systemroot{%}\System32\Dns\*.log",` #KB822158 - AD DCs
"{%}systemroot{%}\System32\Dns\*.dns",` #KB822158 - AD DCs
"ABServer.exe", ` # Begin Lync 2013 Exclusions
"AcpMcuSvc.exe", `
"ASMCUSvc.exe", `
"AVMCUSvc.exe", `
"ChannelService.exe", `
"ClsAgent.exe", `
"ComplianceService.exe", `
"DataMCUSvc.exe", `
"DataProxy.exe", `
"FileTransferAgent.exe", `
"IMMCUSvc.exe", `
"LysSvc.exe", `
"MasterReplicatorAgent.exe", `
"MediaRelaySvc.exe", `
"MediationServerSvc.exe", `
"MRASSvc.exe", `
"OcsAppServerHost.exe", `
"ReplicaReplicatorAgent.exe", `
"ReplicationApp.exe", `
"RtcHost.exe", `
"RTCSrv.exe", `
"XmppProxy.exe", `
"XmppTGW.exe", `
"Fabric.exe", `
"FabricDCA.exe", `
"FabricHost.exe", `
"{%}ProgramFiles{%}\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Binn\SQLServr.exe", `
"{%}ProgramFiles{%}\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\ReportServer\Bin\ReportingServicesService.exe", `
"{%}ProgramFiles{%}\Microsoft SQL Server\MSAS11.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe", `
"{%}ProgramFiles{%}\Microsoft SQL Server\MSSQL11.LYNCLOCAL\MSMQL\Binn\SQLServr.exe", `
"{%}ProgramFiles{%}\Microsoft SQL Server\MSSQL11.RTCLOCAL\MSMQL\Binn\SQLServr.exe", `
"{%}systemroot{%}\System32\LogFiles", `
"{%}systemroot{%}\SysWow64\LogFiles", `
"{%}programfiles{%}\Microsoft Lync Server 2013", `
"{%}programfiles{%}\commonfiles\Microsoft Lync Server 2013", `
"{%}ProgramFiles{%}\Microsoft Lync Server 2013\Web Components\Mcx\Ext", `
"{%}ProgramFiles{%}\Microsoft Lync Server 2013\Web Components\Mcx\Int", `
"{%}ProgramFiles{%}\Microsoft Lync Server 2013\Web Components\Ucwa\Int", `
"{%}ProgramFiles{%}\Microsoft Lync Server 2013\Web Components\Ucwa\Ext", `
"{%}systemroot{%}\Windows\Microsoft.NET\Framework64\v4.0.30319\Config", `
"{%}ProgramFiles{%}\Microsoft System Center 2012 R2\Server\Health Service State",` #Begin SCOM 2012 R2 Exclusions
"{%}ProgramFiles{%}\System Center Operations Manager\Gateway\Health Service State",`
"{%}ProgramFiles{%}\Microsoft Monitoring Agent\Agent\Health Service State",`
"CShost.exe","Microsoft.Mom.Sdk.ServiceHost.exe","HealthService.exe","MonitoringHost.exe",`
"e:\WAC_Server_Cache","e:\WAC_Server_Logs","e:\WAC_Server_Rendering_Cache"` # WC Server storage locations
# This section will exlude file types
$FileTypes = @("MDF","LDF")
# This section will include sub folders in the exclusion. Path must end in a \
$ProcIncludingSubs = @("{%}programfiles{%}\Microsoft Lync Server 2013\", `
"{%}systemroot{%}\RtcReplicaRoot\", `
"{%}SystemDrive{%}\RtcReplicaRoot\", `
"E:\RtcReplicaRoot\xds-replica\", `
"{%}systemroot{%}\assembly\", `
"{%}systemroot{%}\ServiceProfiles\", `
"{%}systemroot{%}\Windows\Microsoft.NET\", `
"{%}systemroot{%}\system32\inetsrv\", `
"{%}systemroot{%}\system32\LogFiles\", `
"{%}systemroot{%}\SysWOW64\inetsrv\", `
"{%}systemroot{%}\SysWOW64\LogFiles\", `
"{%}systemroot{%}\System32\Dns\Boot\",` #KB822158 - AD DCs
"{%}programfiles{%}\Common Files\Microsoft Lync Server 2013\Watcher Node\" `
$TotalExclusionsinFunction = $Procs.Length + $FileTypes.Length + $ProcIncludingSubs.Length
$TotalExclusionsinRegistry = ((Get-Item -Path 'HKLM:\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default\').Property -match "ExcludedItem_").count
If ($TotalExclusionsinFunction -eq $TotalExclusionsinRegistry)
Write-Host ""
Write-Host "`tChecking Anti-Virus Exclusions in the Registry"
Write-Host ""
Write-Host "`t`tStatus : " -ForegroundColor White -NoNewline
start-sleep -m 500
Write-Host "Count Matches" -ForegroundColor Yellow
Write-Host ""
Write-Host "`t`t`tThe number of exclusions in this script match the number of exclusions in the registry" -ForegroundColor Yellow
Start-Sleep 5
return $true
[void] [System.Reflection.Assembly]::LoadWithPartialName("'Microsoft.VisualBasic")
[void] [System.Reflection.Assembly]::LoadWithPartialName("'System.Windows.Forms")
Write-Host "`tDisabling Artemis (Hueristic Scanning)" -ForegroundColor Cyan
$VConsole = Get-Process -Name mcconsol -ErrorAction SilentlyContinue
$VConsole1 = Get-Process -Name shcfg32 -ErrorAction SilentlyContinue
If (($VConsole -ne $null) -or ($VConsole1 -ne $null))
If ($VConsole -ne $null)
$VConsole.CloseMainWindow() | Out-Null
If ($VConsole1 -ne $null)
Stop-Process -Processname shcfg32 -ErrorVariable "AOS" -Force
If ($AOS)
Write-Host "`tForce Close Failed - Taking Extrodinary Actions (~20 Secs)" -ForegroundColor Yellow
If ($ActiveApp -eq "On-Access Scan Properties")
[System.Windows.Forms.SendKeys]::SendWait("{ESC}{ESC}{ESC}{ESC}{ESC}")
$ActiveApp = GetActiveWindows
$Count = 0
Write-Host "`t`t`t[" -ForegroundColor Yellow -NoNewline
while (($ActiveApp -ne "On-Access Scan Properties") -and ($Count -lt 10))
[Microsoft.VisualBasic.Interaction]::AppActivate("On-Access Scan Properties")
start-sleep 1
[System.Windows.Forms.SendKeys]::SendWait("{ESC}{ESC}{ESC}{ESC}{ESC}")
Start-Sleep 1
$Count++
$ActiveApp = GetActiveWindows
Write-Host "*" -ForegroundColor Green -NoNewline
Write-Host "]" -ForegroundColor Yellow
$VConsole1 = Get-Process -Name shcfg32 -ErrorAction SilentlyContinue
If ($VConsole1 -ne $null)
Write-Host "`t`tIssue Closing the App"
Pause
Else
start-sleep -m 500
& 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHCFG32.EXE'
Write-Host "`t`tClosing all McAfee Windows"
start-sleep -m 500
& 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHCFG32.EXE'
Else
& 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHCFG32.EXE'
Start-Sleep 2
# Setting Hueristic Settings to disabled
Write-Host "`t`tGrabbing focus of window [On-Access Scan Properties]"
[Microsoft.VisualBasic.Interaction]::AppActivate("On-Access Scan Properties")
start-sleep 1
$ActiveApp = GetActiveWindows
Write-Host "`t`tCurrent Focus is $ActiveApp"
If ($ActiveApp -ne "On-Access Scan Properties")
Write-Host "`t`tUnable to get Focus On-Access Scan Properties"
$Count = 0
start-sleep -m 300
while (($ActiveApp -ne "On-Access Scan Properties") -and ($Count -lt 10))
$Count++
Write-Host "`t`t`t`tTrying again: $Count of 10 times"
[Microsoft.VisualBasic.Interaction]::AppActivate("On-Access Scan Properties")
start-sleep -m 750
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "On-Access Scan Properties")
Write-Host "`t`tUnable to grab focus of [On-Access Scan Properties]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
$KeyboardArray1 = "%S","{UP}","{UP}","{UP}","{UP}","{UP}","{UP}","{TAB}","{TAB}","{TAB}","{ENTER}"
ForEach ($z in $KeyboardArray1)
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "On-Access Scan Properties")
Write-Host "`t`tUnable to keep focus on [On-Access Scan Properties]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
[System.Windows.Forms.SendKeys]::SendWait($z)
start-sleep -m 300
start-sleep 2
# Start Exclusions
Write-Host "`tStarting VirusScan Exclusions" -ForegroundColor Cyan
$VConsole = Get-Process -Name mcconsol -ErrorAction SilentlyContinue
$VConsole1 = Get-Process -Name shcfg32 -ErrorAction SilentlyContinue
If (($VConsole -ne $null) -or ($VConsole1 -ne $null))
If ($VConsole -ne $null)
$VConsole.CloseMainWindow() | Out-Null
If ($VConsole1 -ne $null)
Stop-Process -Processname shcfg32 -Force
Write-Host "`t`tClosing all McAfee Windows"
start-sleep -m 500
& 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHCFG32.EXE'
Else
& 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHCFG32.EXE'
Start-Sleep 2
# Removing all On Access Scanner Exclusions
Write-Host "`t`tGrabbing focus of window [On-Access Scan Properties]"
[Microsoft.VisualBasic.Interaction]::AppActivate("On-Access Scan Properties")
start-sleep 1
$ActiveApp = GetActiveWindows
Write-Host "`t`tCurrent Focus is $ActiveApp"
If ($ActiveApp -ne "On-Access Scan Properties")
Write-Host "`t`tUnable to get Focus On-Access Scan Properties"
$Count = 0
start-sleep -m 300
while (($ActiveApp -ne "On-Access Scan Properties") -and ($Count -lt 10))
$Count++
Write-Host "`t`t`t`tTrying again: $Count of 10 times"
[Microsoft.VisualBasic.Interaction]::AppActivate("On-Access Scan Properties")
start-sleep -m 750
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "On-Access Scan Properties")
Write-Host "`t`tUnable to grab focus of [On-Access Scan Properties]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
$KeyboardArray1 = "%S","{TAB}","{DOWN}","+{TAB}","+{TAB}","+{TAB}",,"+{TAB}","{RIGHT}","+{TAB}","+{TAB}","+{TAB}",,"+{TAB}","{RIGHT}","%E"
#[System.Windows.Forms.SendKeys]::SendWait("{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{DOWN}{TAB}{TAB}{TAB}{RIGHT}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{RIGHT}%E")
ForEach ($z in $KeyboardArray1)
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "On-Access Scan Properties")
Write-Host "`t`tUnable to keep focus on [On-Access Scan Properties]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
[System.Windows.Forms.SendKeys]::SendWait($z)
start-sleep -m 300
start-sleep 2
# Removing exclusions 150 times.
Write-Host "`t`tRemoving existing virus exlcusions (up to 150)"
[Microsoft.VisualBasic.Interaction]::AppActivate("Set Exclusions")
start-sleep 5
$ActiveApp = GetActiveWindows
Write-Host "`t`tCurrent Focus is $ActiveApp"
If ($ActiveApp -ne "Set Exclusions")
Write-Host "`t`tUnable to get Focus on Set Exclusions"
$Count = 0
start-sleep -m 300
while (($ActiveApp -ne "Set Exclusions") -and ($Count -lt 10))
$Count++
Write-Host "`t`t`t`tTrying again: $Count of 10 times"
[Microsoft.VisualBasic.Interaction]::AppActivate("Set Exclusions")
start-sleep -m 750
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "Set Exclusions")
Write-Host "`t`tUnable to grab focus of [Set Exclusions]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
For ($i=1;$i -lt 150; $i++)
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "Set Exclusions")
Write-Host "`t`tUnable to keep focus on [Set Exclusions]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
[System.Windows.Forms.SendKeys]::SendWait("%R")
start-sleep 1
# Processing the different Directories and process
ForEach ($y in $ProcIncludingSubs)
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "Set Exclusions")
Write-Host "`t`tUnable to keep focus on [Set Exclusions]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
[System.Windows.Forms.SendKeys]::SendWait("%A{TAB}$y{TAB}{ADD}{ENTER}")
Start-Sleep -m 200
ForEach ($y in $Procs)
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "Set Exclusions")
Write-Host "`t`tUnable to keep focus on [Set Exclusions]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
[System.Windows.Forms.SendKeys]::SendWait("%A{TAB}$y{ENTER}")
Start-Sleep -m 200
ForEach ($y in $FileTypes)
$ActiveApp = GetActiveWindows
If ($ActiveApp -ne "Set Exclusions")
Write-Host "`t`tUnable to keep focus on [Set Exclusions]"
Write-Host "`t`tStarting over again"
Stop-Process -Processname shcfg32 -Force
Start-Sleep 5
Return $False
[System.Windows.Forms.SendKeys]::SendWait("%A%F{TAB}$y{ENTER}")
Start-Sleep -m 200
[System.Windows.Forms.SendKeys]::SendWait("{ENTER}{TAB}{TAB}{TAB}{ENTER}")
start-sleep 1
Stop-Process -Processname shcfg32 -Force | Out-Null
$TotalExclusionsinRegistry = ((Get-Item -Path 'HKLM:\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default\').Property -match "ExcludedItem_").count
If ($TotalExclusionsinRegistry -ne $TotalExclusionsinFunction)
Write-Host "`t`tUpdate appears to have failed" -ForegroundColor Yellow
Start-Sleep 1
Return $False
Return $True
} #End Function
Maybe you are looking for
-
HP 6520 All in One Printer will not print anything
Nothing will print on plain paper. The cartridges are wet and show color when I remove them from the printer. Is my printer set up wrong?? I just put in a black ink cartridge a week ago and have not used it much.
-
Hi, I recently replaced my MacBook Pro 13" 2011 model with a new HDD, I had the origional Hitachi, 320GB / 5400RPM HDD removed as it broke and lost everything on my Mac as I had no backup HDD at all. I now have purchased a new Seagate 750GB / 7200.4R
-
SMQ1 & SMQ2 Alerts: Please help set up Queue blocking alterts
Hi ALL We have been experiencing problems with Queue Failures / Blocked Queue in PROS. However, we do NOT get this notification as part of Alerts we have set up in ALRTCATDEF. Can you please, help us with any links on documentation on how to set up
-
Loading XMF file using Sqlloader In Oracle table
How do load an XML file that is in the following format? <WorkPermit>TEST01</WorkPermit> <WellSerialNum>123456</WellSerialNum> <Depth>1000.00</Depth>
-
Hi All, ebs r12.1.3 Q. How can we recreate opmn (WEBOHProcessManager) service on Windows? Autoconfig did not recreate it. Thank you, F.