This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AV Exclusions via Wild Card

I'm trying to exclude XSN forms downloaded through our intranet from Sophos Scans. First I assumed that anything on the intranet should not be scanned, but to be safe I thought it might be best to create an exclusion, but adding FORM*.xsn is not allowed.

Is it not possible to have wildcards to match the first characters of a file name? We don't want to exclude all XSN forms, just the forms that meet a specific naming convention.

This thread was automatically locked due to age.

0 LoXodonte over 10 years ago

http://www.sophos.com/en-us/support/knowledgebase/10134.aspx
On that page they make use of ??? to partially acheive what I'm needing, but it sounds like the ? is representative of a fixed number of characters....even though the definition almost makes it sound as if using less characters would still return a positive.
"
???.PDF excludes all files with names three characters in length and a PDF file extension. Files with a name longer than three characters will be scanned.
"
:55852
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 10 years ago
Hello LoXodonte,
are you talking about NetWare - the article you are referring to applies to NetWare.
anything on the intranet should not be scanned
Which issues do you have with scanning the .xsn forms, BTW? And, well, assuming anything on the Intranet is "clean" is daring :smileywink:. Anyway, if this is about Endpoint exclusions
Use the ? wildcard in a file name or extension to match any single character. At the end of a file name or extension, the ? wildcard matches any single character or no characters: For example, file??.txt matches file.txt, file1.txt, and file12.txt, but not file123.txt.
thus FORM??????????.xsn would exclude all files with extension xsn where the name starts with FORM followed by 0 to 10 characters.
Christian
:55860
Cancel
Vote Up 0 Vote Down

Cancel
0 LoXodonte over 10 years ago

we tried FORM???????????????????.xsn but the content was still being scanned by Sophos; First by Web On access scanning, then by On access Read scanning. Why can't we just have a FORM*xsn option??
The only way for us to exclude is by excluding the entire XSN form extension, which is kind of mind blowing.
:55987
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 10 years ago

Hello LoXodonte,
was still being scanned
how did you find out? Because you received an alert, or?
first by Web On access scanning, then by On access ...
what is Web On access scanning? And again, how did you find out? I'm asking because exclusions are perhaps not the optimal response to the actual issue. If you mean Download scanning it inspects part of the data before passing it on to the browser - exclusions don't apply here. As you didn't say what the issue is I can only speculate. Either Download scanning results in a browser hang or similar issue, or it block the form - in both cases on-access exclusions won't help (and there wouldn't be a then by On access).
Anyway, the ?-pattern is supposed to work (I've just tried with SavTest32.exe from the SEC installer \Tools subdirectory using the exclusion eic???.com and the test failed as expected).
Christian
:55994
Cancel
Vote Up 0 Vote Down

Cancel