Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 9 subscribers
  • Views 2280 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos exclusions for Microsoft Endpoint Configuration Manager?

Kevin Everts1

Is there anything special that needs to be done for Configuration Manager to work with Intercept-X? Some (not all and it changes A LOT) computers aren't seeing deployments in Software Center. Some computers will see 5 one day then all the next. Some will see them all one day and then see 5 less the next. It isn't consistent and Microsoft hasn't been any help. I would remove Sophos and test but I can't get it to consistently fail. I have %WINDIR%\CCM and %WINDIR%\CCMCACHE in Global Exclusions (Sophos Central - Global Settings - Global Exclusions) for Real-time and scheduled. Is there anything else that needs to be done? Does anyone have any suggestions that I might try?



This thread was automatically locked due to age.
  • 0

    Hi Kevin,

    Thanks for reaching out to the Sophos Community Forum. 

    If you haven't already, I suggest checking out the following recommended exclusions article from Microsoft. 
    - Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients

    From the way you listed the exclusions, it looks like you may need a trailing backslash at the end of the paths so that the exclusions are treated as "Folders" instead of "File" exclusions.

    Kevin Everts1 said:
    %WINDIR%\CCM and %WINDIR%\CCMCACHE in Global Exclusions

    If the exclusions have already been added where necessary, the best way to isolate if Sophos is playing a part in the issues you're experiencing would be to try removing it from one or two test systems to see if the results change. 

    If you continue to see intermittent issues without Sophos installed, this may indicate that the issue resides elsewhere. 

  • 0

    Are there logs to see what was block, what was scanned and what Sophos 'touched'?

  • 0 in reply to Kevin Everts1

    By making the following change in the registry you can enable verbose logging. Another option for seeing what is being scanned in real-time is to use ProcessMonitor, then to isolate Sophos File Scanner as the main process you wish to monitor. 

    • Access the following registry key:

      HKLM\SOFTWARE\Sophos\Sophos File Scanner\Application
       
    • Create the following value:

      "LogLevel"=dword:00000004
       
    • Restart the Sophos File Scanner Service.

    That said, files will still need to be touched on the drive for the scanner to know if the files are on the white list or if the files need to be scanned normally. 

    You can also find some information on real-time scanning in the SSP Logs located in "C:\ProgramData\Sophos\Endpoint Defense\Logs\SSP.log". For this component you can turn on debug logging from the Endpoint Self Help Tool.

  • 0 in reply to Qoosh

    So even though c:\Windows\CCM is whitelisted, if something is added to a subdirectory in c:\windows\ccm it will still touch the file?

  • 0 in reply to Kevin Everts1

    That's correct. All files will still be touched, but not all will be scanned if some are excluded. If you have a folder exclusion, the files and folders in all sub-directories will be excluded from scanning.

    You can test if exclusions are working correctly by using an eicar file.

Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?