Validating Exceptions

On the server console you see that it has found the eicar virus ... why would i even get a warning.

Maybe I'm more than a little bit dense - are you referring to the SEC which shows an alert for the server? I have no idea what you mean by warning. A virus alert is a positive detection and dealt with (depending on your cleanup settings the minimum action is block and quarantine). What kind of scan lead to the detection is not visible in SEC but the client's Anti-Virus  log (SAV.txt) will tell you the details.

As you see yourself testing is not as simple as one might imagine. But first of all some words about scan settings and how they affect detection. You can enable/disable scan on read, write and rename. Thus if you have scan on read only and a file is written nothing is expected to happen until the file is opened for read. If the utility used verifies the copy (or the target folder is open in explorer) the file will immediately be opened for read though and the scan kicks in. Having the folder(s) open in Explorer often causes reads at the wrong moments and can cause confusion.

Files and paths: One rarely thinks about the intricacies of file systems and file access. When an application calls the applicable API to open a file this might not result in an actual open of the object sought for. Other routines are called when necessary (as is the case with files on the network). This can cause the path to get rewritten or translated. Sophos uses the path in use at the interception point. Thus for network files the scanner could record the UNC path whereas the open interceptor sees the original request. If you want play around a little turn off scanning, put eicar in a folder, share this folder, locally map this share as a drive, turn on scanning and access the test file via the mapped drive (watch for the drive letter reported). Now repeat this procedure this time excluding the local folder where eicar resides from scanning. Then once more mapping the share from a remote machine ... oh, and while you are at it - hardlink (fsutil hardlink create) eicar.com ...

I hope this is of some help. In general exclusions (especially of executables) should be avoided on workstations. Suspicious files can be authorized via policy, false positives (usually generic detections) should be sent to Support (note that signed applications are handled with slightly more "trust").

Christian 

On the server console you see that it has found the eicar virus ... why would i even get a warning.

Maybe I'm more than a little bit dense - are you referring to the SEC which shows an alert for the server? I have no idea what you mean by warning. A virus alert is a positive detection and dealt with (depending on your cleanup settings the minimum action is block and quarantine). What kind of scan lead to the detection is not visible in SEC but the client's Anti-Virus  log (SAV.txt) will tell you the details.

As you see yourself testing is not as simple as one might imagine. But first of all some words about scan settings and how they affect detection. You can enable/disable scan on read, write and rename. Thus if you have scan on read only and a file is written nothing is expected to happen until the file is opened for read. If the utility used verifies the copy (or the target folder is open in explorer) the file will immediately be opened for read though and the scan kicks in. Having the folder(s) open in Explorer often causes reads at the wrong moments and can cause confusion.

Files and paths: One rarely thinks about the intricacies of file systems and file access. When an application calls the applicable API to open a file this might not result in an actual open of the object sought for. Other routines are called when necessary (as is the case with files on the network). This can cause the path to get rewritten or translated. Sophos uses the path in use at the interception point. Thus for network files the scanner could record the UNC path whereas the open interceptor sees the original request. If you want play around a little turn off scanning, put eicar in a folder, share this folder, locally map this share as a drive, turn on scanning and access the test file via the mapped drive (watch for the drive letter reported). Now repeat this procedure this time excluding the local folder where eicar resides from scanning. Then once more mapping the share from a remote machine ... oh, and while you are at it - hardlink (fsutil hardlink create) eicar.com ...

I hope this is of some help. In general exclusions (especially of executables) should be avoided on workstations. Suspicious files can be authorized via policy, false positives (usually generic detections) should be sent to Support (note that signed applications are handled with slightly more "trust").

Christian