According to Sophos KB-000035264 support.sophos.com/.../KB-000035264 it states the following "By default, Sophos Central automatically uses vendor-recommended exclusions for certain widely-used applications. You can also set up your own exclusions in your policy." I have servers that should be detected and added in their vendor-recommended exclusions as they are on the list. If I go to Overview > Devices > Servers and then click on the server and then go to Exclusions. If filter to the Exclusions added automatically I don't see anything in there. If I go to All Exclusions then I do see the list that I added in there.
1. If you add Global exclusions does that prevent the auto added exclusions from happening?
2. If those auto added exclusions don't appear in there then do I manually have to add them?
3. Is there a way to import an exclusion list rather than manually having to do every single one?
Hi There, Thank you for reaching us, Can you share with us what product are you currently using on your server was it SQL or Citrix? are you observing this to only one server or more servers? In addition to this, there’s an issue related to the recommended vendor exclusion which is not showing a few months back but it's already been sorted out. So I would also like to ask If you could create a case as well then collect the SDU logs on the server in question and share it with me through DM. Share as well your Central license and enable the remote assistance to it for us to further check this issue.
I am running into this on SQL, Exchange, and Citrix, not a single one of those servers are showing anything under the auto added exclusions. Currently using intercept x for servers/endpoints I have a case open but the response I received from support was "It gets added if Machine Learning detects it and adds the exclusions, however it is possible that they don't get added automatically. Since you don't see them in there, it was not added automatically."
Thank you Lance for sharing the info, allow me to further validate the SDU and get back to you.
C:\ProgramData\Sophos\Endpoint Defense\Logs\sam.log might be interesting to look at.
As advised by our Sr. Engineer on the case that you've provided. It's been mentioned there that, When Sophos is on the device, our product will look into the registry for specific components for these servers.Just installing SQL for example does not trigger an automatic addition to the exclusions.Some components of SQL will create registry keys, which if Sophos sees, will go "ah, here's a thing that requires this specific exclusion!" and will then automatically create the related exclusion. If these SQL components are never installed, then Sophos won’t create any exclusion