Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 13 subscribers
  • Views 8775 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Process Exclusions not been applied within Sophos Endpoint Security and Control running on server.

DavidStringer

I have created some server policies which exclude processes from being scanned by the on demand scanner. These are either explicit processes such as source control tools, compilers, linkers to optimize build servers or implicit processes such as microsoft sql server which appear as result of the known applications feature.

The relevant processes are listed correctly in sophos cloud when looking at the exclusions task for a relevant server to which the policy is applied.

However when looking at the Sophos Endpoint Security and Control, version 1.1.9 Cloud Server settings on the actual server there is no mention of the process exclusions and no ability to add them explicitly within the server.

By running performance traces during continous integration builds on or development servers it is clear that SavService.exe is consuming most of the cpu. I am fairly convinced Sophos is over scanning.

I have an alternative reference machine with Microsoft Security Essentials installed instead with explit process exclusions applied. In that configuration I get the desired performance.

I am almost conviced that the process exclusion feature use to work when I first commisioned Sophos Cloud for our organisation about 6 months ago. It feels like something has changed but I cannot say for certain as I have not been monitoing the situation closely until now.

Hope somebody can help.



This thread was automatically locked due to age.
Parents
  • 0
    Hi,

    Process exclusions are only valid for real-time scanning. When you use process exclusions (only available via policy on servers at the moment) you're saying that any file the process touches are also excluded. As opposed to a file exclusion of the executable name which just prevents that file being scanned.

    Regarding performance, I would suggest using Process Monitor as a tool to check on what is happening to cause the slow-downs you are experiencing. The "Duration" column is useful for checking. E.g. applying a filter of "Duration >= 0.1" is a good start. You can also see the files the savservice.exe is touching/scanning. Some of the top files/directories reports you can create will also provide a good overview of where a few exclusions could be tried. Remember that all directory exclusions need to have a trailing backslash, otherwise you typically excluding a non-existent file.

    You can see the process exclusions on the server endpoint under the on-access scanning settings.

    Regards,
    Jak
Reply
  • 0
    Hi,

    Process exclusions are only valid for real-time scanning. When you use process exclusions (only available via policy on servers at the moment) you're saying that any file the process touches are also excluded. As opposed to a file exclusion of the executable name which just prevents that file being scanned.

    Regarding performance, I would suggest using Process Monitor as a tool to check on what is happening to cause the slow-downs you are experiencing. The "Duration" column is useful for checking. E.g. applying a filter of "Duration >= 0.1" is a good start. You can also see the files the savservice.exe is touching/scanning. Some of the top files/directories reports you can create will also provide a good overview of where a few exclusions could be tried. Remember that all directory exclusions need to have a trailing backslash, otherwise you typically excluding a non-existent file.

    You can see the process exclusions on the server endpoint under the on-access scanning settings.

    Regards,
    Jak
Children
No Data
Unfiltered HTML