Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 11979 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

On-access scanning and processes

mrcrisps

We have been asked by a system supplier to exclude a list of processes from AV scanning on a server.

We already have a policy affecting this server, which disables on-access scanning (box is unticked).

It's not clear from the GUI if this by default also disables process scanning, or just file system on-access scanning - what I mean is does the original read from the disk when a process launches not get scanned, but it does get scanned once memory-resident?

:55983


This thread was automatically locked due to age.
  • 0

    If you've turned off on-access scanning I don't believe you need to worry bout such exclusions.

    Process exclusions are configured for the file system filter driver, i.e. for the files this process reads/writes don't scan them.

    Regards,

    Jak

    :55988
  • 0

    Hello mrcrisps,

    a list of processes

    not one or two - an entire list?

    exclude a list of processes from AV scanning ... scanned once memory-resident

    what exactly does the supplier want - they should be upfront with the rationale, especially as, if I understand correctly, you've already completely disabled on-access scanning. I'm known to be mild-mannered :smileytongue: nevertheless without details of the (potential) issues it strikes me as droll at best. 

    Seriously, why bother at all with AV on this server? Apparently whatever system this supplier supplies is not only immune to all kinds of threats but also immunizes the rest of the server. Do they have any suggestions how to protect the server (I don't assume it's an isolated system)? 

    Christian

    :56000
  • 0

    Yes - a LIST of processes!

    Their rationale is their system is time-sensitive on file handling (integrates with IP telephony system), so any problems with their system is automatically the fault of Sophos and not their crummy software.

    ;)

    :56170
  • 0

    Hello mrcrisps,

    time-sensitive on file handling

    :smileytongue: that's why they chose Windows as platform. There are vendors/suppliers who "permit" AV (on-access) on their systems with just minimal folder exclusions.

    Anyway, in this case I'd do without Sophos on this server. With on-access and all other real-time components disabled it has no benefit other than serving as an excuse for problems. Even a scheduled scan would be feasible when the system is active so there's no reason to have Sophos (or any other AV) installed. Isolate or restrict access to the system as far as possible and make sure they can quickly get a clean and current copy up and running in case the server gets compromised.

    Christian     

    :56187