Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 1273 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Malware Exclusions for CIDR ranges?

malware_maker

I have a quick question...

I work for a security firm that creates and tests malware. We use Sophos in order to detect malware we don't want on our network and it is fantastic, a little too fantastic. The question I have deals with transferring my malware between my  VM, or any other computer on my network,  and my Windows machine.

I want to keep on-demand scanning and download scanning but I want to exclude specific CIDR ranges or internally networked IP addresses from being scanned, is there a way to do this? Is it possible to tell Sophos to whitelist traffic for downloaded content, that isn't necessarily on a remote share?

I went throught the manual and didn't find much so if all else fails I'm making a feature request.

I have exclusions setup so that Sophos will not scan specific folders containing malware, the problem that I am having is in the transfer of files to my local machine from, well, anywhere to those folders. It scans them as normal which it should, but then my malware becomes quarantined everytime, and it is only slightly annoying. But an IP exclusion list would be great.

Anyway that's my story. Let me know what you think. I'll entertain questions, so long as they are on topic.

:19063


This thread was automatically locked due to age.
Parents
  • 0

    Hello malware_maker,

    there are two distinct components: On-access scanning and download scanning. The former intercepts file system calls and it "sees" the path used at the point of interception (which is not necessarily the one from the initial call). It does not attempt to resolve a remote path to an IP address so you can exclude only by path. Download scanning uses an LSP and you can authorize (i.e. exempt) "sites" by name or IP address but not a specific path (from the client's GUI Configure->Anti-Virus->Authorization ... ->Websites, from the console AV Policy->Authorization ... ->Websites ).

    Thus if an item gets quarantined check whether the message in the Anti-Virus log contains "On-Access-Scanner" or not (or whether the path contains forward or backslashes) and configure accordingly.

    HTH

    Christian

    Q: Why do you create malware which is detected anyway :smileywink:?

    :19081
Reply
  • 0

    Hello malware_maker,

    there are two distinct components: On-access scanning and download scanning. The former intercepts file system calls and it "sees" the path used at the point of interception (which is not necessarily the one from the initial call). It does not attempt to resolve a remote path to an IP address so you can exclude only by path. Download scanning uses an LSP and you can authorize (i.e. exempt) "sites" by name or IP address but not a specific path (from the client's GUI Configure->Anti-Virus->Authorization ... ->Websites, from the console AV Policy->Authorization ... ->Websites ).

    Thus if an item gets quarantined check whether the message in the Anti-Virus log contains "On-Access-Scanner" or not (or whether the path contains forward or backslashes) and configure accordingly.

    HTH

    Christian

    Q: Why do you create malware which is detected anyway :smileywink:?

    :19081
Children
No Data