Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 11431 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

File exceptions doesn't work with anti-virus 10.2 ?

SilentWarrior

Hi,

I have a problem with file exceptions in the anti-virus scanner.

I have defined a file exception for the on-access scan and the same for on-demand scan. The on-access scan exclude this file from scanning. If I do a complete system scan the exception will be neglected.

Because of Windows 8 I use anti-virus 10.2.

In anti-virus 10.0 it’’’’s OK and work. Is there a bug in the 10.2 version ?

Thanks

:36815


This thread was automatically locked due to age.
  • 0

    Hello SilentWarrior,

    are you talking about execpetions set locally (on the client) or in the policy (from SEC)? Did you observe this on Windows 8 only or on all versions?

    Christian

    :36839
  • 0

    Hi Christian,

    I've set the exceptions via SEC for all versions.

    But I've tried also set the exception on the local windows 8 machine respectively I've changed the entry which cames from the Server and have just entered the file name instead of path + filename but no effect.

    Regards,

    Daniel

    :36849
  • 0

    Hello Daniel,

    out of curiosity - how did you find out it doesn't take effect? I intended to ask whether it doesn't work as expected on Windows 8 only or on other Windows versions as well (a q&d test suggests that at least XP is not affected). I'd be surprised if it is a general issue and no one has noticed it yet, but who knows. I don't have Windows 8 so I fear I can't be of much help. Did you contact Support?

    Christian

    :36851
  • 0

    Hi Christian,

    I've a file that will be indikated as Adware but the file is not a problem. So I put this file on the exception list. But if I do a computer scan this file will be found and I get an error and the file will be moved to quarantine.

    Now I've checked Win7 with 10.0 in detailed and got the same failure, sorry I was wrong in the first post.

    No I've not contacted the support yet because I thought maybe is something wrong.

    I will contact the support.

    Regards

    Daniel

    :36873
  • 0

    Hello Daniel,

    a file that will be indicated as Adware

    I think it should not be scanned if excluded but:

    Adware is its own category. You have to explicitly select it for both On-Access scanning and scheduled scans but it is enabled by default for right-click scanning.  It is AFAIK not included in a full (i.e. Scan my computer locally or Full system scan for the console) scan. Thus it might be that the exclusion doesn't work at all and the behaviour is caused by different settings/usage.

    The recommended way to authorize Adware is - guess, the Authorization Manager (tab Adware and PUAs).

    BTW: if you could post you exclusion and the details of the detection (from SAV.txt) maybe we can figure out what could be wrong.

    Christian

    :36883
  • 0

    Hi Christian,

    I’’’’ve done some more tests and found out that the Problem is not the file directly. The problem is that this file is running and has a process. If I start the complete scan it will first scanned in the memory and the alert comes up. If I close this process before scanning everything run fine and the file will be excluded from the scan.

    And yes I know about the Authorization Manager, but here is the problem if I add this to the allowed Adware, all Adware of this kind will be allowed. But I just like to allow this only file/process.

    I’’’’ve added this file also in Verdächtige Dateien und Verdächtiges Verhalten (sorry I don’’’’t know how it called in the English version) but no effect.

    So my next question is, how can I exclude a process from scanning. I already checked google and the Sophos Docs but found nothing how I can exclude a process from scanning.

    Regards

    Daniel

    :37001
  • 0

    Hello Daniel,

    it will first scanned in the memory and the alert comes up

    that's then a different story. So you want to authorize a particular instance of a certain AdWare (which, BTW?). Now I'd assume it would be detected on disk but apparently the exclusions are working. Could you confirm this please? I.e. remove the exclusion and scan the file, it should then be detected. 

    If the process is indeed found by a memory rule (can't remember I've encountered it but if then I have likely not paid attention to it) then Labs have surely put this in for a reason and you should contact Support to discuss the details. 

    Christian

    :37005
  • 0

    Hi Christian,

    yes it is. I can confirm that the file exception works. If the process doesn’’’’t run and the file is in the exception list the file will not be found. If I delete the exception the file will be found.

    If I start a complete scan on the local machine the scan window show me at first “Scanning Memory” and a few seconds later I get the message that something was found. The logfile tells process xy are infected.

    How can I define that this process will not be found ?

    Daniel

    :37043
  • 0

    Hello Daniel,

    what's the name of the threat? Is it the same (and AdWare) as on the file? I'm not sure I've seen this - even if, I' don't know how Authorization works in this case. But you can't selectively scan memory. As said, you should contact Support, they will consult with Labs if necessary.

    Christian

    :37047