The batch files are actually created on the Protect console system, and then copied into the C:\Windows\Propatches\Install folder on any target system during the deployment process. Most likely ST.Protect.exe is originally behind the creation of the batch files on the console system, but it's possible other components are involved as well. I would have to do a little more research if you would still like me to find this out.
I'm not really familiar with the McAfee ePO application, but it seems based on this article I found that you should be able to use directory and file exclusions (there's a note in the article saying you could apply the same settings via ePO):
You might want to check with McAfee about that since allowing the directory or files would be much easier for you to get this set up.
Hope that helps!
You are right, we can trust a whole directory but it has other side effects e.g. any executable placed in that folder can be executed irrespective of its trusted source. Same is the case if we allow some extension without trusting its source. So we have decided not to use these two types of trusting files.
It would be great if you could tell me what are all components responsible for creating the batch file, so we can trust the actual source in the McAfee ePO application.
I confirmed with our engineering team that ST.Protect.exe is creating the batch files on the Protect console system. I am not sure if that information will be carried over when the files are copied to the target system, but hopefully this information is helpful to you.
Thanks for the information. I found that STSChedEx.exe actually launches the batch on the target system.
Just for information, we need add this file to ePO trusted updater list to allow the execution of the batch file.
Yes STSchedEx.exe is what would run the .bat files on any target system. Glad you got it figured out.