Linux: Options for excluding files from scanning

Hi neilc222 

There is nothing like to configure a max file size for Linux on-access scanning but I can find the similar issue described in this article and you can go with the steps mentioned in it.

Thanks for this. Unfortunately the solutions there are to exclude the folders from scanning or configure samba instead of NFS; exclusion isn't really possible since it defeats the point of having the on-access scanning, particularly for a downloads folder which might be considered one of the more at-risk locations, and the samba/NFS solution isn't applicable to the issues I'm encountering with the VM.

Hi neilc222 

I'd like to know more details about the environment you have. Please provide the below details:

1. The operating system of the machine where Sophos AV for Linux is implemented.

2. Whether share is hosted on SAV for Linux's system and how it is causing the issue for you when you access the share from a Windows machine.

Jasmin said:

1. The operating system of the machine where Sophos AV for Linux is implemented.

Linux Mint 19.3 (based on Ubuntu 18.04)

Jasmin said:

2. Whether share is hosted on SAV for Linux's system and how it is causing the issue for you when you access the share from a Windows machine.

It is shared via VMware shared folders that allows the Windows VM to see folders on the Linux system - it does this by creating a pseudo Windows share. The issue arises from accessing the folder on the Windows VM (not opening any files), there is a significant hang and delay in the VM caused by SAV scanning (checked via top on the Linux system). Note that there isn't a noticeable delay on opening other folders so I assume it's because this folder has several large (> 200MB) files that are being scanned.

Jasmin said:

1. The operating system of the machine where Sophos AV for Linux is implemented.

Linux Mint 19.3 (based on Ubuntu 18.04)

Jasmin said:

2. Whether share is hosted on SAV for Linux's system and how it is causing the issue for you when you access the share from a Windows machine.

It is shared via VMware shared folders that allows the Windows VM to see folders on the Linux system - it does this by creating a pseudo Windows share. The issue arises from accessing the folder on the Windows VM (not opening any files), there is a significant hang and delay in the VM caused by SAV scanning (checked via top on the Linux system). Note that there isn't a noticeable delay on opening other folders so I assume it's because this folder has several large (> 200MB) files that are being scanned.

Hi neilc222 

AFAIK, Mint OS is not described in the supported Operating System list. Unfortunately, when OS is not supported, the product can throw an irrelative or different error or behaves differently than what it should. Though I will take the advice from my team regarding this issue.

Yes, I realise it's not specifically in that list but as far as SAV is concerned, it should be behaving the same as if it were running on Ubuntu 18.04. Getting hung up on that is a red herring - the real issue here is the interop between VMware (shared folders) accessed from Windows and SAV for Linux when a folder happens to contain (many) large installer files.

Hi neilc222 

We understand your concern but the reason behind it is not in the supported list, might be it is not behaving as expected.

We might not be able to help as it is not listed in the supported OS list for Linux.

Hello neilc222,

supported Linux distribution or not, DouglasLeeder could tell whether VMware shared folders have been tested and if with what result.

Christian

We don't test VMware shared folders. 

Since the product is primarily aimed at servers, which are less likely to have shared folders in that way, I'm not sure it would gain any priority with product management.

Thanks for the info. I guess I'll just have to live with it or try some other Linux AV (not that there are that many options!). It would be really useful to have options for customising the large file size (to skip scanning) and being able to ignore a certain process like vmware when it accesses files (i.e. don't on-access scan).

Many thanks