We use Sophos Central Endpoint Protection and need to exclude a specific device from scanning. We have several of those devices - it's some kind of USB dongle which shows up as a drive in Windows.
I didn't find any option to define a exclusion based on device like in Peripheral Control. Is that possible?
The only way I can think of, is to set a fixed driveletter for those devices and define a scan exclusion based on that. But that sounds like a quick and dirty solution to me...
Thank you for your assistance!
why do you need to exclude these devices, what does otherwise not work?
While perhaps not obvious AV scanning (I assume you are referring to on-access/real-time scanning) applies to files…
While perhaps not obvious AV scanning (I assume you are referring to on-access/real-time scanning) applies to files in (supported) file systems regardless of the underlying volume or device. Consequently you can exclude only by path. The "fixed drive letter trick" would of course work.
Thank's for your answer.
The need to exclude those devices is not because of technical nature rather than by legal requirement. I'm not happy with that...
We will use the "fixed drive letter trick".
this is, er, droll: a legal requirement that an AV scanner does not ... whatever it may not do.
Are you sure files on these devices are scanned in the first place? As said, only file systems (but not all types) are scanned. If no drive letter is assigned and the volume not mounted then there's nothing to scan. Guess you are not permitted to disclose any details or the exact requirement. None of my business but such enigmatic requirements pique my curiosity.
in my opinion, curiosity is a good quality ;-)
The device is FAT formatted and I can access the files, so I assume Sophos can scan it.
Not to assign a drive letter could be another option - I will check that!
I am surely permitted to give you official details. Here is the device: PU-50n TSE for Fiscal Solutions - SwissbitA special software (POS Client) uses the device and the software developer told us "Remove the assigned drive from any virus check. Virus scanners can massively dirupt the use of the device (TSE)."
I see. So it's the software developer and not the device manufacturer. Have you encountered issues so that the "POS guys" stated this requirement or is the POS software new and this just a "precaution" on their side? Interestingly it's almost always AV or virus check/scan - rarely any other software is mentioned that might as well interfere. And the instructions are more often than not pretty non-specific (what exactly is any virus check).. I daresay that (real-time) scanners are very rarely the actual cause. Why does most other software work without problems? Developers should know what indispensable stratagem or artifice in their software doesn't go well with the scanners. Wonder if they ever have an active protection on their endpoints. It seems that the existence of endpoint security is still seen as a nuisance by some developers.
Time and again exclusions and exemptions are requested by a vendor. If preemptive and without detailed explanation I'm very wary. Usually they can't tell whether you made the exclusions or not and they either not dare or care to say "show me".So, these devices are plugged in, get a more or less arbitrary letter assigned by Windows, I assume the POS client.can search for and use the device but as far as I understand it does not lock the device..The AV-driver intercepts file open and close and as necessary the scanner performs assessment and potentially a scan. Guess nothing apart from the POS application accesses the drive. What would trigger the scanner so that it would massively disrupt the use of the device? I read: In addition [...] the Swissbit TSE memory solutions offer a user memory that can be freely used by POS equipment manufacturers. Well, they should know if they use this memory or not. If they don't I can't see where a disruption could come from. Personally I'd either tell them the exclusions are in place and wait what happens or set the exclusions at first and gradually remove them. Always worked for me. Just checked, still have some of the respective policies around - all no longer assigned. No one ever noticed.