Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 10460 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

On-Access scanning exclusions being ignored

i2i-ltd

I work for a company with about a 1000 computers all running Sophos and managed using SEC.  Not all of these computers are attached to the domain, some are in workgroups, but are still registered with SEC for management.

The problem is we utilise a system called FOG to push out software and updates to all of these computers via it's snapin functionality, this on the whole works fine.  The problem is I have a custom written compiled Auto-IT script that makes changes to the system hosts file on the workgroup computers, and updates the dns settings with a call to netsh.  This makes large scale changes much easier.

For reference, the FOG client stores the files it downloads to a temporary folder C:\Program Files\FOG\tmp

However.. Sophos blocks this script from running as either HIPS/FileMod-002 or HIPS/DrvDrop-A.  Since I wrote the script myself, I know exactly what it does and that it is not malicious in the sense I want to run it.  I have tried the following entries in the Windows Exclusions under the on-access scan settings in SEC as follows.

[folder] c:\program files\fog\tmp\

[folder] c:\progra~1\fog\tmp\

[file] c:\program files\fog\tmp\settingsupdate.exe

[file] c:\progra~1\fog\tmp\settin~1.exe

Individually or combinations of these entires do not work.  The update file is blocked and quarantined as soon as it is run.

To further check I compied the Eicar test file to the folder, renamed it, and ran that (obviously all that happens is a cmd window opens and closes) but again, Sophos jumped in and blocked it as Virus/spyware EICAR-AV-TEST even though the folder is supposed to be excluded from on-access scanning!

Any ideas?

:37425


This thread was automatically locked due to age.
Parents
  • 0

    We ended up removing Sophos from the machine and installing MS Security Essentials following a call to Sophos Support.  There is no way to actually "exclude" a file or folder from being scanned with Sophos.  The "exclusions" are simply a way of telling Sophos to ignore certain things it finds upon scanning the "excluded" items.  I was unable to determine what these certain items are.

    Our only recourse was to send a sample of the file(s) in question to the Sophos labs so they could figure out why it was being flagged.  In our case, we only had a single machine that we needed a specific application to run on, so taking that machine out of the Sophos management loop wasn't a deal-breaker and was far easier than sending the file into Sophos and hoping for the best.  We added the appropriate exclusions to MSE and the app ran perfectly.

    I think somebody at Sophos should look up the definition of "exclusion", as I have never experienced this behavior out of numerous other A/V vendors our clients run (Symantec, Trend Micro, AVG, MSE, NOD32, Eset, etc.)  It's a good thing I don't run Sophos on the servers, as there is no way to exclude Exchange and SQL Databases from being scanned, short of completely disabling real-time (and scheduled) scanning...and then, why would I run it at all?

    Regards,

    Darren

    :37987
Reply
  • 0

    We ended up removing Sophos from the machine and installing MS Security Essentials following a call to Sophos Support.  There is no way to actually "exclude" a file or folder from being scanned with Sophos.  The "exclusions" are simply a way of telling Sophos to ignore certain things it finds upon scanning the "excluded" items.  I was unable to determine what these certain items are.

    Our only recourse was to send a sample of the file(s) in question to the Sophos labs so they could figure out why it was being flagged.  In our case, we only had a single machine that we needed a specific application to run on, so taking that machine out of the Sophos management loop wasn't a deal-breaker and was far easier than sending the file into Sophos and hoping for the best.  We added the appropriate exclusions to MSE and the app ran perfectly.

    I think somebody at Sophos should look up the definition of "exclusion", as I have never experienced this behavior out of numerous other A/V vendors our clients run (Symantec, Trend Micro, AVG, MSE, NOD32, Eset, etc.)  It's a good thing I don't run Sophos on the servers, as there is no way to exclude Exchange and SQL Databases from being scanned, short of completely disabling real-time (and scheduled) scanning...and then, why would I run it at all?

    Regards,

    Darren

    :37987
Children
No Data