Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 7201 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos AV on MS Cluster

shawn_38

Hi all,

I have question about installing Sophos on a Microsoft Cluster.

The quorum disk is a Cluster Shared Volume connected with FC. We don't want to assign a drive letter to the quorum

disk, so nobody can accidentally access the quorum disk or save data on this disk.

Microsoft recommends to exclude the quorum disk from scanning.

I' ve checked the option "exclude remote files" in the Antivirus and HIPS policy.

Does Sophos AV recognizes the quorum disk as a remote disk and doesn't scan the files or what other possibilities do I have to not scan the quorum disk. Assigning a drive letter is no option for us.

Thanks in advance.

:41489


This thread was automatically locked due to age.
Parents
  • 0

    Hello Shawn and Antonius,

    the volume will be invisible to the windows explorer and I believe it will also invisible to sophos scanning

    this is a misbelief :smileyhappy: - probably because the UI for the scan configuration suggests this. On-access scanning uses a file system and a filter driver to intercept file access and apply any possible extension and/or exclusion settings. You don't need a drive letter to access the file system - for example dir  \\?\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\\SomeFolder will happily list the contents of \SomeFolder on the named volume even when it is not accessed. Unfortunately Endpoint Security and Control and cluster servers does not tell you how to exclude it, time permitting I'll do some tests. Note that the article also uses a system variable which is not valid in an exclusion list - guess it could need some overhaul.

    Christian 

    :41509
Reply
  • 0

    Hello Shawn and Antonius,

    the volume will be invisible to the windows explorer and I believe it will also invisible to sophos scanning

    this is a misbelief :smileyhappy: - probably because the UI for the scan configuration suggests this. On-access scanning uses a file system and a filter driver to intercept file access and apply any possible extension and/or exclusion settings. You don't need a drive letter to access the file system - for example dir  \\?\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\\SomeFolder will happily list the contents of \SomeFolder on the named volume even when it is not accessed. Unfortunately Endpoint Security and Control and cluster servers does not tell you how to exclude it, time permitting I'll do some tests. Note that the article also uses a system variable which is not valid in an exclusion list - guess it could need some overhaul.

    Christian 

    :41509
Children
No Data