Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 9 subscribers
  • Views 5992 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bug in Sophos Central server exclusion list only displaying auto items?

Chris Haydon

Hi

I have an Exchange server here that also has a couple of SQL Express instances on so it has applied auto exclusions for Exchange 2010 and SQL 2008R2 - 104 of them according to the Exclusion tab

 

1) The auto exclusions don't appear to contain the complete path for some of the Exchange files see below so I don't know if they would event work!

 

2) The logic for SQL appears to work for identifying the database locations - that or you "assume" that SQL data could be on multiple drives i.e. C, D (data) and L (logs) drives and that that might be a "common" naming logic. For Exchange it hasn't worked as well all the exclusions it has created are only or files on the C drive - again in this instance the server was build so the program files are on C, the databases on D and the logs files on L.

3) Due to the above we have therefore manually built in a policy the other required files for the databases, logs and content indexes etc and applied to the device however the Exclusions tab never shows them for some reason... I am not sure how this works, if it is derived by Central or if the policy is pushed down to the device and the device then reports back the list of active exclusions... I have waited some time and the machine has definitely checked back in and in ESH having forced an update check a while ago it is seeing the correct policy time and date for when the revised policy was modified but the exclusions list is stuck firmly at a total of 104 and if you filter by "defined in policy" rather than "all" is is blank...

however looking at the config.xml file on the server itself it appears to be listing the exclusion I expect in terms of the policies?

 

 

I have looked at another server with a similar policy set - this time for the tempdb files on a SQL server that are on T drive (where it had picked up C, D and L ok) and for that device it shows just fine with the Auto and Policy exclusion listed.

 

If anyone at Sophos care to look at this then I have left Sophos support is enabled in the tenant for (hopefully that isn't index-able and feel free to moderate it out having used it :-) - I'm going home!) - the policy in question and server are fairly obviously named!

***Removed sensitive data*** 

Cheers

Chris



This thread was automatically locked due to age.
Parents
  • 0

    Hi Chris,

    I removed your license from the thread, but I did log in to your dashboard and observed the behavior in one of your servers (the truncated or incomplete paths) .
    I'll research this a bit further and update this thread with more info.

    As for your second concern, if you can DM me the names of the affected servers, I will double check, as I was not able to reproduce that behavior (I see the Exclusions defined in policy for the manually created policies, as well as other filters) . 

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

Reply
  • 0

    Hi Chris,

    I removed your license from the thread, but I did log in to your dashboard and observed the behavior in one of your servers (the truncated or incomplete paths) .
    I'll research this a bit further and update this thread with more info.

    As for your second concern, if you can DM me the names of the affected servers, I will double check, as I was not able to reproduce that behavior (I see the Exclusions defined in policy for the manually created policies, as well as other filters) . 

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

Children
  • 0 in reply to Barb@Sophos

    Hi Barb

    Have just sent you a DM with the name of the server that the policy exclusions aren't showing up just the auto ones in the list of exclusions for the server

    Chris

  • 0 in reply to Chris Haydon

    Chris,

    Thank you for clarifying,  can you confirm if the truncated locations do exist on the server (although, not truncated) ? 
    If so, what you can try to test them is to run an Eicar test from said locations (just create the txt file, then rename it to one of the extensions from your list, for example "test.log", and see if you are able to open the file). Otherwise, if you can use your exchange and SQL programs/dbs without issues, that is also an indicator that the exclusions are working. 

    Can you also provide me the full xml config file? (Or can you confirm the one you posted is the full list?)  I do see the other issue as well, the "Exclusions defined in Policy" is empty and "All exclusions" shows up to 104 entries.  I did not see that for other servers in your dashboard. 

    I recommend that you file a case with support, so that they can further review the situation: https://secure2.sophos.com/en-us/support/open-a-support-case.aspx   
    Be sure to include the server name, SDU logs if possible, as well as the screenshots that you posted. 

    Thank you,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

Unfiltered HTML