Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 7199 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos AV on MS Cluster

shawn_38

Hi all,

I have question about installing Sophos on a Microsoft Cluster.

The quorum disk is a Cluster Shared Volume connected with FC. We don't want to assign a drive letter to the quorum

disk, so nobody can accidentally access the quorum disk or save data on this disk.

Microsoft recommends to exclude the quorum disk from scanning.

I' ve checked the option "exclude remote files" in the Antivirus and HIPS policy.

Does Sophos AV recognizes the quorum disk as a remote disk and doesn't scan the files or what other possibilities do I have to not scan the quorum disk. Assigning a drive letter is no option for us.

Thanks in advance.

:41489


This thread was automatically locked due to age.
  • 0

    Hi Shawn,

    My understanding is that you using cluster with node and disk majority ( with disk witness ), the cluster could see and use the volume as an id for the disk witness without the volume having a drive letter. So in that case the volume will be invisible to the windows explorer and I believe it will also invisible to sophos scanning.

    So as long as you do not mount the volume to a drive letter  or a folder, then it'll be exclude by sophos endpoint scanning.

    regards,

    antonius A.

    :41491
  • 0
    Antonius wrote:

    Hi Shawn,

    My understanding is that you using cluster with node and disk majority ( with disk witness ), the cluster could see and use the volume as an id for the disk witness without the volume having a drive letter.

    regards,

    antonius A.

    Yes, that's right. Thanks for your reply.
    :41497
  • 0

    Hello Shawn and Antonius,

    the volume will be invisible to the windows explorer and I believe it will also invisible to sophos scanning

    this is a misbelief :smileyhappy: - probably because the UI for the scan configuration suggests this. On-access scanning uses a file system and a filter driver to intercept file access and apply any possible extension and/or exclusion settings. You don't need a drive letter to access the file system - for example dir  \\?\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\\SomeFolder will happily list the contents of \SomeFolder on the named volume even when it is not accessed. Unfortunately Endpoint Security and Control and cluster servers does not tell you how to exclude it, time permitting I'll do some tests. Note that the article also uses a system variable which is not valid in an exclusion list - guess it could need some overhaul.

    Christian 

    :41509
  • 0

    In reply to my own post ... put EICAR on an "unlettered" volume and then let on-access detect it. The path to eicar.com shown in the log is \\.\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\ (note the "." in \\.\Volume). So I set a folder exclusion using this string and it works. Guess one could exclude the quorum disk this way.

    Christian

    :41517