Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 11 subscribers
  • Views 3038 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intercept X Advanced for Server - Lockdown File/Folder Exclusions

CraigLloyd

Hi,

We have the above product installed on two files servers that run our Distributed File System (DFS) shares storage locations.

Some of these Fileshare locations contain .exe files and various installers we use for Deployment and also programs we have compiled internally.

 

When we enact "Lockdown" on these file servers we can no longer remove, change or update these files.

Which I understand this is what "Lockdown" is supposed to protect against.

 

However I've attempted to Exclude these Folders through modification of the Lockdown Policy "Allowed files/folders" list that affects these two servers, but I'm not getting the results I would expect.

The Help on the Lockdown Policy Exclusions is vague at best, so I need some guidance, especially on the use of Wildcards *

 

1) Should I be excluding the Folder in the drive that sits on the actual server? e.g. F:\IT\

2) Should I be excluding the Folder as it's presented through Drive Mapping to the Clients? e.g. I:\

 

It won't let me exclude by servername and sharename or DFS share

e.g. \\servername\sharename or \\domainname\private\sharename

 

Predominantly all I really want to do with the Server Lockdown is protect the OS drive, but this is not possible.

 

Any advice appreciated thanks,

Craig



This thread was automatically locked due to age.
Parents
  • 0

    Hi Craig,

    I would create the exclusion to match the folder sitting on the server since the lockdown is actioning on the server and not the clients.

    I believe if you add a trailing backslash to your exclusion it will exclude everything nested under that folder.
    Eg. F:\ will exclude F:\example.exe and F:\nestedfolder\example.exe. 

    If you add a * at the end of your trailing backslash it should exclude everything under that folder but not nested folders. 
    Eg. F:\* will exclude F:\example.exe but not F:\nestedfolder\example.exe.

Reply
  • 0

    Hi Craig,

    I would create the exclusion to match the folder sitting on the server since the lockdown is actioning on the server and not the clients.

    I believe if you add a trailing backslash to your exclusion it will exclude everything nested under that folder.
    Eg. F:\ will exclude F:\example.exe and F:\nestedfolder\example.exe. 

    If you add a * at the end of your trailing backslash it should exclude everything under that folder but not nested folders. 
    Eg. F:\* will exclude F:\example.exe but not F:\nestedfolder\example.exe.

Children
  • 0 in reply to MEric

    Hi MEric

    Thanks for your reply.

    Originally this is what I did, by excluding the Server's local drive paths with the trailing backslash.

    I expected this to work, but results show otherwise.

    e.g. I have excluded a local drive folder G:\ITG\Software\

    which contains all our installers, with the server unlocked I can delete .exe files under this structure via my mapped drive of I:\Software\

    When the server is in Lockdown mode, I can no longer do this. This is the result reported on the server.

    So I'm at a loss on how to make these exclusions work without leaving these Servers Unlocked or Moving this type of storage elsewhere where it's not under the protection of Sophos.

    Cheers,

    Craig

  • 0 in reply to CraigLloyd

     Hi Craig,

    I may have incorrectly assumed the Allowed files/folders section worked like SAV exclusions.  Unfortunately I do not use Lockdown in my environment nor do I have a server I could freely test this out on.  I suspect that the exclusion may not apply to nested folders at all which would not make creating exclusions for your scenario ideal.  Perhaps someone with more Server Lockdown experience may be able to comment on this?

  • +1 in reply to CraigLloyd

    Lockdown prevents applications from doing actions on the machine. See the first line of the Lockdown policy page:

    When you lock down a server, we list the software installed on it and only allow that software to run in future. You can use these settings to change what is allowed without the need to unlock the server.

    There are three configurations available in the policy:

    Allow Files/Folders: This means that any application located IN the designated folder or explicitly marked in the policy can run and change files anywhere on the server.

    Block Files/Folders: This means that any application located IN the designated folder or explicitly marked in the policy can NOT run and change files anywhere on the server.

    Excluded Folders: Do not add software in these folders to the list. This also blocks it from running.

     

    Notice that none of these allow applications coming in from outside to modify the files located on the server. 

    Based on your description you are trying to allow explorer.exe located on your local machine to modify files on the server - this won't work. You would have to implement a terminal service type setup where you access an application running on the server (that is allowed through the policy) and have it do the alterations you want.

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to RichardP

    Hi Richard,

    Thanks for the explanation, this makes sense.

    So basically now, I have to leave my file servers unlocked or move my IT and Developers Storage area to a place that is not covered by Server Lockdown.

    Are there any plans to include a option on Intercept X Advanced for Server whereby admins can totally exclude areas or drives from the Lockdown feature?

    If not I'll start one on the Ideas portal, I can't imagine I'm the only IT Manager or Developer that has encountered this [*-)]

     

    The Terminal Service type setup you suggested would work for my admins, but not for our Test Development team who are not allowed to log onto the servers.

     

    Thanks,

    Craig

  • 0 in reply to CraigLloyd

    I can't say specifically if there is anything on the roadmap for that. You can submit it here: https://ideas.sophos.com/ 

    Our product managers review those suggestions regularly.

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Unfiltered HTML