Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 1191 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is the Difference between "Extensions" and "Windows Exclusions" sections...

Lestat

I see the following Error message on my backup server event log:

"The on-access driver failed to read from file \TEMP\IMG37\vbd_2011_01_28_0115_02\xxx-PublicFolder.edb"

I don't want to exclude the entire \TEMP folder, so I figure I will just exclude .edb files from the Sophos OnAccess scanner.  

However, there appears to be two locations in the AntiVirus policy configuration where I can define this exclusion.  Does anyone know what the difference is?  Will one location provide better performance then the other?

AntiVirus and HIPS Policy -> On-access Scanning -> Configure -> Extensions Tab -> Exclude -> "edb"

vs

AntiVirus and HIPS Policy -> On-access Scanning -> Configure -> Windows Exclusions  Tab -> Add -> "*.edb"

Actually -- I'm not even sure why Sophos is trying to scan this .edb file.  According to my research, EDB files are not even supposed to be scanned by default.    If you open up the Sophos AV client on a desktop -> Configure anti-virus and HIPS -> on-access scanning -> Extensions tab you will notice that the EDB extension is not even listed.  Strange...

:8557


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    I know that any exclusions made take place in the driver, this is the low level component that sits at the file system level. So exclusions should be faster as it saves the driver passing anything to the SAV service to evaluate/scan etc.

    The driver isn't really intelligent beyond that I would imagine as it needs to be light weight devoid of too much logic.  The extension list must therefore operate at the service/virus engine level.

    So the driver will get to see everything and as long as a file is not excluded it will pass the scan request up to the service to evaluate it which would explain why you got the message:

    "The on-access driver failed to read from file \TEMP\IMG37\vbd_2011_01_28_0115_02\xxx-PublicFolder.edb"

    as it's a message from the driver rather than the service.

    Once it gets to the service I would imagine that some sort of quick classification takes place to check that that file is of a type that is worth scanning and this is then overlayed against the extension list.

    So a file exclusion of:

    ???-PublicFolder.edb

    could be worth a try based on the error message.  Note: In this form you would need to enter as many question marks as there could possibly be characters in the file name prior to the dash as these are a 1-1 mapping.

    I hope this helps.

    Regards,

    Jak

    :8561
Reply
  • 0

    Hi,

    I know that any exclusions made take place in the driver, this is the low level component that sits at the file system level. So exclusions should be faster as it saves the driver passing anything to the SAV service to evaluate/scan etc.

    The driver isn't really intelligent beyond that I would imagine as it needs to be light weight devoid of too much logic.  The extension list must therefore operate at the service/virus engine level.

    So the driver will get to see everything and as long as a file is not excluded it will pass the scan request up to the service to evaluate it which would explain why you got the message:

    "The on-access driver failed to read from file \TEMP\IMG37\vbd_2011_01_28_0115_02\xxx-PublicFolder.edb"

    as it's a message from the driver rather than the service.

    Once it gets to the service I would imagine that some sort of quick classification takes place to check that that file is of a type that is worth scanning and this is then overlayed against the extension list.

    So a file exclusion of:

    ???-PublicFolder.edb

    could be worth a try based on the error message.  Note: In this form you would need to enter as many question marks as there could possibly be characters in the file name prior to the dash as these are a 1-1 mapping.

    I hope this helps.

    Regards,

    Jak

    :8561
Children
No Data