Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 8693 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Antivirus Exclusions and how to test they are working

jb111

Hi all.  It has occured to me Sophos has been providing lists of settings for years (ie: Exchange, SQL, Domain controllers, etc...).  Shouldnt there be templates that you can simply import instead of manually entering 2-4 pages worth of exclusions?  The chance for error is high, especially when you have multiple Microsoft technologies.  Furthermore, how would one even know that an exclusion has been applied other than trusting what the console and client AV gui says?  Sorry if I am sounding negative.  I have been receiving lots of pushback vs Sophos lately.  Much thanks.  JB

:53557


This thread was automatically locked due to age.
Parents
  • 0

    Hello JB,

    Sophos has been providing lists of settings

    actually they are mostly referring to the vendors' recommendations.

    2-4 pages worth of exclusions

    Microsoft themselves, for example, concede However, your system may be safer if you do not exclude any files or folders from scans and generally refer to exclusions in the context of "troubleshooting issues". For many scenarios it's not as clear-cut as one might assume: Our admins decided to do without exclusions and to wait until it breaks. So far nothing did break but naturally it depends and YMMV. Arguably it's easier to remove exclusions though.

    There are some points (the list is not complete) which make this not as simple as it seems. Modifications by the customer must either be allowed and honoured or it must be a use/don't use decision. "Something" is needed to detect products, their versions and the paths used (e.g. for database files) to apply the appropriate settings (and it's likely necessary to re-assess the environment - products, versions, roles and so on - and to deal with changes). In addition SEC should have the information that predefined settings have been applied or be able to apply them (apart from the question how the predefined and possible custom exclusions could be merged).

    Christian

    :53583
Reply
  • 0

    Hello JB,

    Sophos has been providing lists of settings

    actually they are mostly referring to the vendors' recommendations.

    2-4 pages worth of exclusions

    Microsoft themselves, for example, concede However, your system may be safer if you do not exclude any files or folders from scans and generally refer to exclusions in the context of "troubleshooting issues". For many scenarios it's not as clear-cut as one might assume: Our admins decided to do without exclusions and to wait until it breaks. So far nothing did break but naturally it depends and YMMV. Arguably it's easier to remove exclusions though.

    There are some points (the list is not complete) which make this not as simple as it seems. Modifications by the customer must either be allowed and honoured or it must be a use/don't use decision. "Something" is needed to detect products, their versions and the paths used (e.g. for database files) to apply the appropriate settings (and it's likely necessary to re-assess the environment - products, versions, roles and so on - and to deal with changes). In addition SEC should have the information that predefined settings have been applied or be able to apply them (apart from the question how the predefined and possible custom exclusions could be merged).

    Christian

    :53583
Children
No Data