Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 2991 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Database Query Scan Exclusions

shawn_38

Hi,

I'd like to export periodically the on-access scan exclusions defined in the Antivirus-/HIPS policy but I didn't find where these informations are stored in the database. We use Version 5.0

Can anyone provide me with this information?

Thanks.

:38567


This thread was automatically locked due to age.
  • 0

    Hello shawn_38,

    what's the motivation for this? Exclusions are static, so I assume you want to check whether they still are as they should be. The settings are per-policy, not stored in a central place and while it's not impossible to extract them it's not simple (and then there's the question which groups/computers the policy applies to).

    If you want to detect changes in the policies I'd suggest to upgrade to 5.2 which provides auditing.

    Christian

    :38571
  • 0

    Hi,

    How about something like the following code.

    1. Save as something.vbs

    2. Edit the variables at the top:

    strServerName       
    strInstanceName
    strDatabaseName

    as required for you install.

    Code:

    const ForWriting = 2

strServerName       = "databaseservername"
strInstanceName     = "sophos"
strDatabaseName     = "Sophos50"
strConnectionString = "Driver={SQL Server};Server="&strServerName&"\"&strInstanceName&";Database="&strDatabaseName&";Trusted_Connection=yes;"

strSQL = "SELECT p.name, p.policyxml.query(' " &_
     " declare namespace SAV=""http://www.sophos.com/EE/EESavConfiguration""; " &_
     "   (/SAV:config/SAV:onAccessScan/SAV:exclusions/SAV:filePathSet/SAV:filePath) " &_
     "  ') as Exclusion " &_
" FROM policies as p with (nolock) " &_
" where p.type = 2 "

set cn = CreateObject("ADODB.Connection")
cn.open strConnectionString

Set rs = CreateObject("ADODB.Recordset")
rs.Open strSQL , cn, adOpenDynamic

' Write file to disk
set fso = CreateObject("Scripting.FileSystemObject")

' Loop for each record
Do Until rs.EOF

   strPolicyName = rs("Name")
   strXMLOfPolicy = rs("Exclusion") 

   if strXMLOfPolicy <> "" then
     CreateFile strPolicyName, strXMLOfPolicy
   end if
   
  
  rs.movenext
Loop

'cleanup
set cn = nothing
set rs = nothing

Function  CreateFile (strName, strXML)
 

 on error resume next

 
 
      set file = fso.OpenTextFile(strName & "-Exclusions.txt", ForWriting, True)
      arr1 = split (strXML, "<SAV:filePath xmlns:SAV=""http://www.sophos.com/EE/EESavConfiguration"">")
      for a = 0 to ubound (arr1)
          if arr1(a) <> "" then
             file.writeline replace(arr1(a), "</SAV:filePath>", "")
          end if
       next
       
       file.close
       
       set file = nothing

   
End function

    Regards,

    Jak

    :38573
  • 0

    @Christian:

    I know that exclusions are static, also we have just one policy which is assigned to all computers.

    But we had an audit and now we have to document e.g. servers with no antivirus software installed and the on-access scan exclusions.

    @jak

    The script works perfectly.

    Thanks a lot.

    :38585
  • 0

    Hello shawn_38,

    we have to document ... the on-access scan exclusions

    I see. Now I don't assume you neither have to prove that what you periodically export is what is actually in effect nor that you do it automated. You are aware that you can simply export (manually) the exclusions from the policy edit window?

    Christian 

    :38589
  • 0

    Hi Christian,

    of course I know how to export the exclusions manually from the policy edit window.

    I've automated the export and import it daily in our Wiki.

    We haven't finished the rollout yet and I assume there will be lots of changes in near future.

    With the automated export we have always the current exclusions in our Wiki and not everybody who may have to check these exclusions has access to the Enterprise Console.

    :38593
  • 0

    Hello shawn_38,

    sounds like you intend to have more than a few exclusions. Generally you should try to avoid them if possible. Apart from the (slightly) increased risk they might apply to other components (e.g. DLP). So you should only use them when necessary and safe. Just curious - could you give an example what you are excluding?

    Christian

    :38595