Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 1 reply
  • Subscribers 9 subscribers
  • Views 3219 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Feature Request: Stacking Policies

Victor Albizures

It would be great to be able to stack policies. For example:

 

Default Policy - Handles all scanning activity

      Default Exclusion Policy - Contains exclusions which apply to all systems

                                       * Systems under here would get Default, Default Exclusions

                    Exchange Exclusions -  Contains exclusions which only apply to exchange servers.

                                         * Systems under here would get Default, Default Exclusions and Exchange Exclusions

etc ....

 

I understand that I can close policies, but if I then have to edit the Default Exclusions I have to manually modify that on all policies. There is no way to push that change to all policies. If I was able to stack policies I wouldn't have to because all policies would apply in a stacked format.

 



This thread was automatically locked due to age.
Parents

  • Hello Victor Albizures,

    first of all, it used to be a recommendation that exclusions should be only applied when strictly necessary, i.e. there are confirmed issues without them. Seems that Sophos eventually caved in to the anadipsia for keeping control over an obscure piece of software that constantly makes decisions on its own [:P] [sorry for the impertinent remark].

    Assuming that exclusions are needed, there are more than a few of them, and they have to be amended more or less frequently stacking is nevertheless not the perfect solution if you have many different sets of exclusions. You have to concert them into a normal form with a corresponding group structure that can get quite complex. As exclusions are part of the AV ("scanning") policies a requirement for different scanning settings would further complicate matters. It'd probably a good idea to separate scanning and exclusion policies. Not that it couldn't be implemented but the question is whether it's worth the effort.
    Exclusions aren't free (as they have to be checked for every interception by the filter driver) otherwise one could simply use a superset for all devices (except for this performance penalty exclusions for Exchange would have no effect on the other systems). 

    AFAIK a two-level approach is already possible with Central: The Global Scanning Exclusions apply to all devices and users, this might be a partial solution.

    Christian 

Reply

  • Hello Victor Albizures,

    first of all, it used to be a recommendation that exclusions should be only applied when strictly necessary, i.e. there are confirmed issues without them. Seems that Sophos eventually caved in to the anadipsia for keeping control over an obscure piece of software that constantly makes decisions on its own [:P] [sorry for the impertinent remark].

    Assuming that exclusions are needed, there are more than a few of them, and they have to be amended more or less frequently stacking is nevertheless not the perfect solution if you have many different sets of exclusions. You have to concert them into a normal form with a corresponding group structure that can get quite complex. As exclusions are part of the AV ("scanning") policies a requirement for different scanning settings would further complicate matters. It'd probably a good idea to separate scanning and exclusion policies. Not that it couldn't be implemented but the question is whether it's worth the effort.
    Exclusions aren't free (as they have to be checked for every interception by the filter driver) otherwise one could simply use a superset for all devices (except for this performance penalty exclusions for Exchange would have no effect on the other systems). 

    AFAIK a two-level approach is already possible with Central: The Global Scanning Exclusions apply to all devices and users, this might be a partial solution.

    Christian 

Children
No Data
Unfiltered HTML