Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 10460 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

On-Access scanning exclusions being ignored

i2i-ltd

I work for a company with about a 1000 computers all running Sophos and managed using SEC.  Not all of these computers are attached to the domain, some are in workgroups, but are still registered with SEC for management.

The problem is we utilise a system called FOG to push out software and updates to all of these computers via it's snapin functionality, this on the whole works fine.  The problem is I have a custom written compiled Auto-IT script that makes changes to the system hosts file on the workgroup computers, and updates the dns settings with a call to netsh.  This makes large scale changes much easier.

For reference, the FOG client stores the files it downloads to a temporary folder C:\Program Files\FOG\tmp

However.. Sophos blocks this script from running as either HIPS/FileMod-002 or HIPS/DrvDrop-A.  Since I wrote the script myself, I know exactly what it does and that it is not malicious in the sense I want to run it.  I have tried the following entries in the Windows Exclusions under the on-access scan settings in SEC as follows.

[folder] c:\program files\fog\tmp\

[folder] c:\progra~1\fog\tmp\

[file] c:\program files\fog\tmp\settingsupdate.exe

[file] c:\progra~1\fog\tmp\settin~1.exe

Individually or combinations of these entires do not work.  The update file is blocked and quarantined as soon as it is run.

To further check I compied the Eicar test file to the folder, renamed it, and ran that (obviously all that happens is a cmd window opens and closes) but again, Sophos jumped in and blocked it as Virus/spyware EICAR-AV-TEST even though the folder is supposed to be excluded from on-access scanning!

Any ideas?

:37425


This thread was automatically locked due to age.
  • 0

    Hello i2i-ltd,

    excuse the dumb question - but as it seems to ignore the exclusions, you did check on the client that they are actually set and that the files are actually accessed using the specified path (you can find the path for the detection on the AV log, SAV.txt)?

    Christian

    :37553
  • 0

    Did you ever come up with a resolution for this?  I'm experiencing the exact same thing with a client.  In our case it's an executable that is being detected as HPmal/OSMod-A and I've added exclusions ten ways from Sunday and Sophos still detects and blocks it, killing the process.  It's exasperating to say the least.

    SAV.txt shows File "C:\Program Files\System Config\snmp.exe" belongs to virus/spyware 'HPMal/OSMod-A': Process killed.

    I have excluded the following:

    C:\Program Files\System Config\

    C:\Program Files\System Config\snmp.exe

    C:\Progra~1\System~1\

    C:\Progra~1\System~1\snmp.exe

    Thanks!

    Darren

    :37615
  • 0

    Hello Darren,

    I did not mention in my previous post that exclusions might not apply to HIPS detections (i2i-ltd said that EICAR was detected as well and HIPS is not involved at this point). I haven't performed any tests and the docs don't refer to it but I guess the exclusions don't apply to HIPS (as the exclusions are applied by the file system filter driver).

    Furthermore, according to Understanding HIPS HPmal/ and HPsus/ Run-time Detections HPmal cannot be authorized so I suggest to contact Support - both to get an answer whether HIPS should honor the exclusions and to have the file (snmp.exe analyzed).

    Christian 

    :37635
  • 0

    Hi

    Sorry for the delay in responding here.

    Yes I have confirmed the exclusions have been applied to the client.  The path is correct, all deployed files are initially downloaded to the excluded folder before being run from there.  I've also tried applying the exclusions locally on a client to verify they are there.  Yes the full path appears in the log file.

    I'll look into the HPmal and HPsus ideas, in fact I'll bring it up in the next technical call I have with Sophos and update here.

    @DarrenS

    No I have not had a resolution to this as yet, If I ever do I will post it on here for future reference (good or bad).

    Thanks both for the input, appreciated :smileyhappy:

    :37977
  • 0

    We ended up removing Sophos from the machine and installing MS Security Essentials following a call to Sophos Support.  There is no way to actually "exclude" a file or folder from being scanned with Sophos.  The "exclusions" are simply a way of telling Sophos to ignore certain things it finds upon scanning the "excluded" items.  I was unable to determine what these certain items are.

    Our only recourse was to send a sample of the file(s) in question to the Sophos labs so they could figure out why it was being flagged.  In our case, we only had a single machine that we needed a specific application to run on, so taking that machine out of the Sophos management loop wasn't a deal-breaker and was far easier than sending the file into Sophos and hoping for the best.  We added the appropriate exclusions to MSE and the app ran perfectly.

    I think somebody at Sophos should look up the definition of "exclusion", as I have never experienced this behavior out of numerous other A/V vendors our clients run (Symantec, Trend Micro, AVG, MSE, NOD32, Eset, etc.)  It's a good thing I don't run Sophos on the servers, as there is no way to exclude Exchange and SQL Databases from being scanned, short of completely disabling real-time (and scheduled) scanning...and then, why would I run it at all?

    Regards,

    Darren

    :37987