Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 15 subscribers
  • Views 1121 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wildcard Scanning Exclusions: filter files with certain extension under a directory

Robin H

Hi,

I'm just trying to understand the following help:

https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/references/ExclusionVariablesWindows.html

I like to achieve, that for example all *.txt files under a certain directory like c:\temp (including all *.txt files in subdirectories) will be excluded.

I would write the rule like that:

c:\temp\**\*.txt

Is that ok?  I'm afraid that all directories named like *.txt including all files under the directory will be excluded additionally...

If I wanted to do that, I would write it the following way (with additional backslash "\")

c:\temp\**\*.txt\

What irritates me, ist the following description in the link:

C:\foo\*.txt

C:\foo\*.txt

All files or folders contained in C:\foo named *.txt.

It is written that all files OR folders will be excluded.

Regards



This thread was automatically locked due to age.
  • 0

    I think the best thing might be to test it by writing a eicar string to a test file in the various scenarios and see what happens.

    E.g. In a PS prompt you can type: 

    "X5O!P%@AP[4\PZX54(P^)7CC)7}`$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!`$H+H*" | Out-File C:\temp\eicar.txt

    Note, there are 2 $ signs in the Eicar test string. Download Anti Malware Testfile – Eicar so you have to escape them with a back-tick.

  • 0

    Hello Robin H,

    as Sophos User930 said: Test it. Isn't always as simple as one might think though.

    I think you're right regarding the trailing backslash. SEC (the on-premise management console) and the Endpoint UI discern File and Folder exclusions and add respectively require the backslash if it's not there. I'm not familiar with Central's Admin UI but the Endpoint AV component made this file-or-folder distinction.

    Christian

Unfiltered HTML