Tuesday, October 11, 2011

Viewing McAfee Exclusions (Powershell)

The following script is an example of remote registry key reading using Powershell with .Net classes. If you need to examine Mcafee scan exclusions, you can find them in one of three subkeys. Depending on the risk level of the process, you will need to look in Default, Low risk or High risk locations. Each entry for exclusions is in a named key with numeric increments in the names. Each value contains a pipe separated triple of information which describes the type of the rule, when the rule should be applied (and if it applies to subfolders), and the exclusion pattern. The script will return all of the exclusions for the specified process classification, in the format of a PSObject Array with decoded rule information. Due to the length of the exclusion pattern value, you may need to further format the output or limit the columns returned to better view the results.


$server = $Args[0]
$level = $args[1]

if (($server -eq $null) -or ($Server -eq "")) {
  write-host -foregroundcolor "yellow"  "usage:  Get-McAfeeExclusions servername [level]"
  write-host -foregroundcolor "yellow"  "    Enter Server name to list Mcafee AV exclusion list.  Optionally"
  Write-Host -ForegroundColor "yellow"  "    you can enter the level to view (Default, High, Low)."

if ($level -ne $null) {
 if (-not (("Default","High","Low") -contains $level)) {
  Write-Host -ForegroundColor "yellow" "Invalid level specified, use Default | High | Low"
} else {
 $level = "Default"

function decode-mcafee-exclusion-code([int]$code) {
 switch ($code) {
  5 { return "Windows File Protection" }
  4 { return "Extension" }
  3 { return "FilePath" }
  2 { return "CreationDate" }
  0 { return "ModifiedDate" }

function decode-second-vals([int]$code) {
#for some reason I see path rules with values above 10 which have the same settings for below 10 rules.  7=15, 3=11
 switch ($code) {
  1 {return ("write")}
  2 {return ("read")}
  3 {return ("read","write")}
  5 {return ("subfolder","write")}
  6 {return ("subfolder","read")}
  7 {return ("subfolder","read","write")}
  11 {return ("read","write")}
  15 { return ("subfolder","read","write")}

$key = "Software\McAfee\VSCore\On Access Scanner\McShield\Configuration\" + $level
$type = [Microsoft.Win32.RegistryHive]::LocalMachine
$regkey = [Microsoft.win32.registrykey]::OpenRemoteBaseKey($type,$server)
$regkey = $regkey.opensubkey($key)

if (-not ($?)) {
 #error opening key, mcafee may not be installed
 Write-Error ("Unable to open mcafee registry key: " + $key)
 exit 1

$vals = $regkey.getvaluenames()
$results = New-Object collections.ArrayList

foreach ($val in $vals) {
 if ($val -match "ExcludedItem") {
  $entry = $regkey.getvalue($val)
  $exclusionvals = $entry.split("|")
  $ruletype = decode-mcafee-exclusion-code $exclusionvals[0]
  $settings = decode-second-vals $exclusionvals[1]
  $excludeditem = $exclusionvals[2]
  $myresult = New-Object psobject
  Add-Member -InputObject $myresult NoteProperty System $server
  Add-Member -InputObject $myresult NoteProperty RuleType $ruletype
  Add-Member -InputObject $myresult NoteProperty Settings $settings
  Add-Member -InputObject $myresult NoteProperty Exclusion $excludeditem
  $results.add($myresult) >$null

return $results 
Update: Jan 31, 2013
Now that I have come across some other versions of mcafee, it looks like the registry key structure is not standardized. If you get no values with the script, you can poke around in that same general registry area and find the appropriate key for your implementation.

No comments:

Post a Comment