I work for a company with about a 1000 computers all running Sophos and managed using SEC. Not all of these computers are attached to the domain, some are in workgroups, but are still registered with SEC for management.
The problem is we utilise a system called FOG to push out software and updates to all of these computers via it's snapin functionality, this on the whole works fine. The problem is I have a custom written compiled Auto-IT script that makes changes to the system hosts file on the workgroup computers, and updates the dns settings with a call to netsh. This makes large scale changes much easier.
For reference, the FOG client stores the files it downloads to a temporary folder C:\Program Files\FOG\tmp
However.. Sophos blocks this script from running as either HIPS/FileMod-002 or HIPS/DrvDrop-A. Since I wrote the script myself, I know exactly what it does and that it is not malicious in the sense I want to run it. I have tried the following entries in the Windows Exclusions under the on-access scan settings in SEC as follows.
[folder] c:\program files\fog\tmp\
[folder] c:\progra~1\fog\tmp\
[file] c:\program files\fog\tmp\settingsupdate.exe
[file] c:\progra~1\fog\tmp\settin~1.exe
Individually or combinations of these entires do not work. The update file is blocked and quarantined as soon as it is run.
To further check I compied the Eicar test file to the folder, renamed it, and ran that (obviously all that happens is a cmd window opens and closes) but again, Sophos jumped in and blocked it as Virus/spyware EICAR-AV-TEST even though the folder is supposed to be excluded from on-access scanning!
Any ideas?
This thread was automatically locked due to age.
