This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Balance between exclusions on Intercept and Endpoint Security

Hello everyone. We've always implemented files and folder exclusions to our customers without thinking too much about it: if it's slowing down a service, add it's folder as exclusion and we are ready to go, it's just the real time anti virus scanner, right?

So we thought. One of our customers got a ransomware and it encrypted one of their folders, but just this one particular folder which was as excluded from scan. And after asking Sophos Support, they tould us that this exclusion includes the InterceptX action as well. Oh boy...

My question, then, is how are the community doing this? How do we balance performance and security in this particular case that all the scanning fall on the same category?

Also, wouldn't it be cool if with every exclusion an dummy txt file was added to every folder and the monitoring happens only at this file? And if something happen to it the Endpoint would know there is something fishy.

Thoughts?

This thread was automatically locked due to age.

Parents

Barb@Sophos over 6 years ago

Hello Marco Ramos,

Exclusions are not typically recommended, but if needed, they are applied at your own discretion based on your needs/environment. Please see this document for more details about available exclusions.

You can check if a file or program is safe by using our Threat Center and/or submitting a sample to Sophos Labs

There are also vendor recommended exclusions such as these:
Recommended vendor exclusions for use with Sophos products (Windows)
Sophos Central Windows Server Automatic Exclusions

If you experience issues with Intercept X, such as False Positives, they can be addressed by following this article

Additionally, we have 2 articles related to performance/known issues that may help out:
Sophos Intercept X and Exploit Prevention: Known issues
Sophos Anti-Virus: Computer slowed down after installation and configuration change

Regards,

Barb@Sophos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
Marco Ramos over 6 years ago in reply to Barb@Sophos

Those KB article's are useful, but I don't believe it's the right path. I want to understand a better way to protect from ransomware, by Intercept, and to not have performance issues with real time scanning. If there is not a way to do it with both, then I have to make it clear to our customers of what is the cost of doing this. Thanks again.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

Marco Ramos over 6 years ago in reply to Barb@Sophos

Those KB article's are useful, but I don't believe it's the right path. I want to understand a better way to protect from ransomware, by Intercept, and to not have performance issues with real time scanning. If there is not a way to do it with both, then I have to make it clear to our customers of what is the cost of doing this. Thanks again.
Cancel
Vote Up 0 Vote Down

Cancel

Children

Barb@Sophos over 6 years ago in reply to Marco Ramos

Hello Marco Ramos,

If you are experiencing issues with the product, your best course of action is to reach out to support so that we can further investigate what's the culprit, and work on a possible solution or workaround.

Be sure to include the SDU logs of the affected device, so that they can start their investigation there.

Regards,

Barb@Sophos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel