Under Review

[WSA - all versions] Exclusion of specific files/folders from scans


Userlevel 5
  • Community Guide
  • 165 replies
I'd like to suggest the addition of the ability to exclude certain files/folders from being scanned. I know the Detection Configuration on the Quarantine tab allows one to manually block or allow specific programs, but the broader exclusion options being suggested here is a bit more in depth than that.

86 replies

Userlevel 7
Has anything come of this? It says "reviewed" 5 months ago, but nothing further.
Userlevel 7
My apologies for not leaving a comment on this one.  This has been subject of a lot of discussion since WSA was launched.  The concern behind such a feature is that it leaves a security hole in your protection.  Certain threats could make an effort to figure out which directories are unprotected, per the user not protecting them, and try to launch their code from those locations.  Since WSA would have already been told to leave anything alone that resides in that directory, any threat launched from that location would be able to infect the computer.
 
If you take a step back from the directory-view, it's clear to see that a user cannot simply make a determination on their own that "this computer won't have any infections in it, so I'm not going to worry about it."  That's the whole reason you need anti-virus software to begin with.  If it was as simple as "knowing" you're not going to infect the computer, something like WSA wouldn't be necessary to begin with.  Zooming back in to the directory level, it's the same kind of concern but at a more localized level.  While an end user might think "I will never get an infection in this directory, so I won't worry about it," that's unfortunately not really the case.  So when we are talking about purposely leaving an area of the drive unprotected, we are in effect, talking about limiting the efficacy of the program.  We wouldn't want a "feature" to end up being a security hole, and that would be a very likely outcome.

We didn't set this to "closed," due to the volume of the requests for the feature.  There are seven kudos for this idea, and coming from a support background, I can tell you I've heard this request quite a few times tacked onto the end of support calls.  In a perfect world, we would love to be able to facilitate a request like this, but it's difficult to do that while still keeping the computer completely secure.  The topic still comes up from time to time, and while it's not likely to happen, we don't necessarily want to quash the discussion on it if it turns out it's something people still want.
 
Separately from this idea, another idea was posted for temporarily whitelisting the entire contents of a directory but then continuing to monitor for new threats.  That request is more likely to happen because it cuts down or eliminates the potential for any possible negative results.  I'd suggest lending your kudos to that one as well.
The main item I would like this ability to exclude is data files like database files and program data for applications like Boinc.  In case of high speed access and throughput I am trying to remove any overhead even small amounts. In the case of Boinc and other high speed crunching, I would like the ability to put in a specific directory and a specific file pattern match(s) to avoid the overhead of watching the read and writes to the research input and output data.  These names changes constantly, so its not possible to keep an individual exclude file, but they do have patterns.
 
As it is now, when there are challenges when speed over a weeks time matters, I currently end up disabling webroot to remove the extra time and any potential for webroot to quarantine a file and limit the use to those machines.
 
I do believe that some file types should not be excluded in this manner, executables for example.  Nor should a complete wildcard that matches all names be allowed.
 
Example output files for Poem@Home:
poempp_gpucrystal_1350548812_375409311_0_0
poempp_gpucrystal_1350548813_1930368710_0_1
 
Example input file names for Poem@Home:
32379_1350657629.in_1350657629_1479549195
32328_1350683581.in_1350683582_1673961276
30996_1350662618.in_1350662619_1169607691
 
 
 
 
 
Userlevel 7
Hi Brian,
If you allow for automatic batch exclusions of folders, file-types or file names, a file dropper could attempt to brute-force its way into your system by attempting to drop a threat into every folder on your computer using a randomized file name.  A more intelligent dropper might look for names that fit an allowed pattern.  This is discussed at some length in this thread, which I would suggest to anyone who is looking for more detail on this topic.

It should also be noted that if the files in question are not executable and are coming from a known Good program, WSA is not monitoring them in any sense that would increase read/write operations or CPU usage.  If the program creating them is Unknown, the best thing to do at that point would be to whitelist it to a Good file if that's appropriate.

The speed at which a process completes is, more often than not, considered very, very important.  That's why WSA is designed with performance in mind.  However, when you get down to the nanoseconds involved in WSA checking to see if a read/write involves an executable or not, you should really ask yourself why you invested in security software if those few nanoseconds are worth disabling the software and leaving the system wide open to attack for weeks at a time.  Does the potential for data theft, malware infections, viruses, etc. outweigh a few minutes spread out over multiple weeks?  If your performance hit has been anything more than statistically minute, have you contacted support about this yet?  Odds are, a setting may need to be tweaked regarding the program writing the files rather than changing anything regarding the files themselves.
Userlevel 7
Webroot is working hard on a number of improvements to Webroot SecureAnywhere Business Endpoint Protection, and although this idea has merit, other issues that apply to a larger percentage of our customer base are going to need to take priority in the near future. As such, we are going to need to move this idea to On Hold so we can focus our resources on other more-commonly requested features. While we will revisit this idea again in the future, this request will need to be deferred at this time.
We've been using WR AV for about 2 months. Great prodcut with exception of this missing folder exclusion capability. We use another product for web filtering that during installation generates random file names which are confinded to a specific folder on each system. Creating exceptions for literally 1000's of files manually is not a solution. I totally understand the reason for excluding this feature however I think development hasn't thought that all the way through. As the product administrator on a network its totally reasonable to give that person control when to bypass scanning a folder or not to since they know their better than you ever will plus they assume security responsibilities when deviating from your best practice. That feature has been in all AV products that I've experienced forever.
 
This missing capability will likely change our decision to roll out this product accross our client base. You have a really great product... please add this feature. - Thanks for consideration.
Having worked in ICT for more than 20 years I can see both sides of this argument.
It doesn't help not being able to exclude file type when troubleshooting performance issues though.
The risk here however should be for the end user to accept and not for the vendor to dictate.
With my current issue I will have to resort to switching off endpoint security on this machine which is a bigger security risk than just being able to exclude a number of file types from the program.
Should I discover the issue is endpoint related, I guess my advice to the board will be to change endpoint supplier to one that offers more flexible configurations. That would be far easier than persuading them away from the troublesome application.
We're a week away from needing to make a decision on AV and I was sold on this software... until I tried to find somewhere to place some exclusions so that I can run it on our Exchange server.
 
I understand the software works differently, but I'm not game to test it in production without being able to follow Microsofts recommendations for file level AV and Exchange.  Is such an elementary function, and it hampers flexibility in a big way.  The comment by LeeBJames is pertinent, it is our risk to accept; especially in a business setting that has the expertise to make these sorts of calls, and is currently taking the same risk with another product exluding certain folders/files.
 
I'm disappointed, for our 60+ desktops it's fantastic.  I'm torn as I don't want to manage one lot of software for clients and a different suite for servers.
 
Is anyone else running Exchange (and SQL) server with this?
Userlevel 7
Hello s-twig and welcome to the Webroot Community.  
 
As your question sounds pretty specific to the Endpoint protection, might I direct your attention to the business specific forum Here?  You might put out a post there, instead of a comment on the Ideas here, as that might get a little more attention to your need?
Userlevel 7
Badge +56
This one is in the works and is waiting on QA testing currently.
Userlevel 4
Ok that's a good feature :D
Userlevel 7
Badge +55
That will make allot of users happy! I have no need for it but for Developers & IT Pros for Business like @explanoit it will be a very welcome option also @brihy1 !
 
Daniel ;)
Userlevel 7
Oh yes, this will be very very very useful for our developers. Webroot doesn't like binaries it hasn't seen before, and programmers make binaries all the time...
Userlevel 7
Yeah, it would be great!
Glad to see this was moved to coming soon.  My subscription for Webroot is coming due soon and without the ability to exclude the Boinc data directories, I will not be renewing.  There have been multiple times that I have had to disable webroot because of issues with it and Boinc.
 
Is there an estimated date for the new feature?
Userlevel 7
Badge +55
Sounds like an upcoming idea will be terrific!!
This is a great feature to add, Anybody have an ETA? :D
Userlevel 4
Is it scheduled in WSA 2015-editions?
Userlevel 7
shadek, that is hard to know and we will only know as and when the first beta comes out.  But lets hope so.
Userlevel 7
Badge +55
Can we get an update on this Idea? Some are still asking.
 
Thanks,
 
Daniel
Userlevel 7
Badge +56
I haven't heard anything new on this one - I'm assuming it's making its way through QA still.
Userlevel 7
Badge +55
Since April though?
 
Thanks,
 
Daniel
Userlevel 7
Badge +56
Lemme check again :)
Userlevel 7
Badge +56
So the lastest word from dev is estimate of January 2015.  Subject to change of course :)

Reply

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

    Accept cookies Cookie settings