avast BP exclusions client keeps being over written and cant add in console

[williamstam]

hi

we have a server that requires a path ""C:\Program Files (x86)\Marshal\WebMarshal\Temp"" to be excluded from scanning. (webmarshal doesnt like it when avast scans that folder)

ive added the exclusion to the servers managed avast client in settings as well as file system shield.

but it seems the console keeps replacing the settings. how do i go about making it fixed?

i thought of adding the exclusions to the console.. but doesnt seem like its possible to "configure" the shields like file system shield in the admin console. this is defs an issue as it keeps making webmarshal die..

[jx]

we have a server that requires a path ""C:\Program Files (x86)\Marshal\WebMarshal\Temp"" to be excluded from scanning. (webmarshal doesnt like it when avast scans that folder)

Hi,

you are in a situation when one computer only needs to behave a bit differently. I would suggest creating an extra management group in the admin console for this computer (in addition to the default one) and add this computer to this group. Then you set up the exceptions/exclusions on this group in the admin console. (Edit group settings, tab "exclusions").

The setting should propagate on the server right away and should work fine.

The console is right in replacing the settings: it does so to ensure that no users are tampering with the settings on their workstations. Or rather to be precise: to fix things up even if they tamper with the settings somehow.

jx

[williamstam]

thought of doing that.. but then.. you cant add exclusions to the shields it seems..

[williamstam]

just added it in advanced settings.. would be cool if you could do the "sheields" settings aswell from the gui.. after messing up my last BP console im a little dubious about "advanced settings" lol

works well now.

whats the use for the clients to have "settings" even if the servers gonna replace it all the time?

makes more sense for the server to configure the client.. but any settings the client changes localy.. to be stuck for that client.. and to report back to the server that that machine has a changed option.. giving the server an option to over write or ignore it.

please send that request / suggestion to the dev / QA team? (that as well as the option to edit the shields options in the console - although i suspect they probs busy with it already)

[jx]

whats the use for the clients to have "settings" even if the servers gonna replace it all the time?

1) Suppose you have somebody travelling with their laptop and only connecting to the company network once in a while... Perhaps they've rebooted their machine 10 times and are not able to connect to company network now. Does the client need some "cached" settins? I bet so! ;-)
2) What if a piece of hardware malfunctions in your server? Could only be a network card or power source... so the admin runs to the nearest shop to buy the replacement... but I think you still expect avast to protect your workstations. Am I right? That's what the settings are for on the client... it's a cache - "best guess".

makes more sense for the server to configure the client.. but any settings the client changes localy.. to be stuck for that client.. and to report back to the server that that machine has a changed option.. giving the server an option to over write or ignore it.

This really is a "chicken or egg" type of problem.

Usually the clients are password protected anyway. This pretty much says that only admin is able to see (alter) the settings anyway. What you are proposing sounds to me something like: "the admin on the workstation overrides the settings sent from the server, but the server is notified. At the server we raise a question for the admin, asking him if he wants to change the setting of the admin at the end of the line (on the workstation) or allow an exception"...

For this reason we decided to only have one central place where changes can be made and really persisted and this is the place where the changes are primarily applied from to each group. Note I am not talking about a computer but a GROUP. Group is where you apply settings in ABP, if you need individual settings for individual computers, you'll need more groups.

We'll give the concept with notifications and overridings you suggest another thought, perhaps this behavior will change in future, but no promise on this.

Regards

jx

[williamstam]

hehe cool. i still think the settings thing is a bit weird.. settings set on the client "should" remain.
be like "these pc's have custom configs" clicking on the pc shows the changes in the config.

like exclusions.. surey each work station should be allowed to have a dif path for exclusion? (yeah exclusions is a bad eg.. nothing should be set to excluded.. but still)

have the "settings" button disabled if the AV is communicating with the server (in regards to the traveling thing)

the groups thing could get complicated..

say you have 3 settings.. that are dif

setting A, setting B, setting C

pc 1 gets A
pc 2 gets B
pc 3 gets C

simple create groups..

but pc 4 gets A and C

"group" A has something that pc 4 shouldnt get... just 1 small change..

so now you onto 4 groups? seems excessive. usualy a configs gonna be domain wide.. but like a hand full of exceptions to that config.. having to create a group each time is just bleh.
ive had to create a group for this 1 server.. everything else is exactly the same as the domain group.. so when i created this group it was "copy config from this group" but now if i want to make a domain change im gonna have to make the change to the domain group as well as the "server" group for this 1 server?
hope that explains it?

for the record.. BP is really cool



im having issues with avast and exclusion on the server set at the moment.. still messing with webmarshal. meh

[jx]

I understand you concern for "exceptions", however, one of the major requirements for the whole product was "central place of management".

Now, with exceptions now and there, entered at the client... I don't see how we could fulfill the requirement of "central place of management".

Yes, we could attempt to "merge" new settings based on the modifications on the server, but how would we go along with removing the exceptions? Chase the admin back to the system where he entered the exception?

What you are suggesting would require implementation of the concept of inheritance and versioning of settings. Not sure if that is the way we will want to go.

Regards

jx

[williamstam]

server settings
client settings

if client setting is dif to server.. warn the admin on the server. keep client setting. if admin on server clicks "over write" then the servers settings are sent through.

in the mean time.. Grey out the "settings" link if the client is communicating with a server. i found it highly annoying setting the exceptions in the client thinking they gonna "stick" only to find it gets changed back every 30 seconds or so. since the client HAS a settings option.... 1 assumes it can be used

[Newbie45]

just added it in advanced settings.. would be cool if you could do the "sheields" settings aswell from the gui.. after messing up my last BP console im a little dubious about "advanced settings" lol

How did you do this?  I can't seem to exclude anything from the shields on the console, just on the client which is overidden by the console?