This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Global folder exclusions and PUA's

We are rolling out Sophos on our servers.

One server holds the software repository with company software installers and a lot of tooling for us sysadmins.

As one can guess, Sophos detects several PUA's, like Nirsoft apps, TightVNC, a.s.o.

We and Sophos seem to have a disagreement in what is a PUA.

Now I excluded the drive:\path where those tool apps reside in a custom Threat protection policy and still I cannot access the files and new POA alerts are generated.
I did a lot of searching, but cannot confirm that PUA's and folder exclusions are two different things, what is seems to be.
Also, excluding a single PUA every time is not an option. So if I can't solve this, Sophos cannot run on that server.

I want Sophos to leave that drive:\folder alone and not detect anything.
The share is used by sysadmins and everything put there has already been scanned by clients.

How can I solve this?

Regards,

Han



This thread was automatically locked due to age.
Parents
  • Thanks Gladys,

    Adding each PUA by name would be an ongoing story on a volume where we keep all our software downloads, sysadmin tooling a.s.o. I would have to hire someone for that.
    Meanwhile I figured out that "Add apps by path" method, and I can access the so-called PUA's now with a file explorer.

    Still one challenge to go, the backup software seems to let Sophos know that a file is accessed as \Device\HarddiskVolumeShadowCopy28\Misc\...
    Excluding that path is not going to help, the next backup wil be HarddiskVolumeShadowCopy32 or so.
    So the already added allow application by path L:\Misc does not work.

    So I am testing with paths like \Device\*\Misc\ which didn't work, and now testing with \Device\*\Misc (without backslash).
    Next will be \Device\HarddiskVolumeShadowCopy??\Misc\

    Must find a way to let this work, otherwise Sophos is not going to run on that server.
    Regards,

    Han

Reply
  • Thanks Gladys,

    Adding each PUA by name would be an ongoing story on a volume where we keep all our software downloads, sysadmin tooling a.s.o. I would have to hire someone for that.
    Meanwhile I figured out that "Add apps by path" method, and I can access the so-called PUA's now with a file explorer.

    Still one challenge to go, the backup software seems to let Sophos know that a file is accessed as \Device\HarddiskVolumeShadowCopy28\Misc\...
    Excluding that path is not going to help, the next backup wil be HarddiskVolumeShadowCopy32 or so.
    So the already added allow application by path L:\Misc does not work.

    So I am testing with paths like \Device\*\Misc\ which didn't work, and now testing with \Device\*\Misc (without backslash).
    Next will be \Device\HarddiskVolumeShadowCopy??\Misc\

    Must find a way to let this work, otherwise Sophos is not going to run on that server.
    Regards,

    Han

Children
  • Finally, the backup ran without PUA alerts.
    Unfortunately I ended adding two exclusions at once, so I don't know which one did the trick:
    File or folder exclusion: \Device\HarddiskVolumeShadowCopy??\Misc\
    Allowed application: \Device\HarddiskVolumeShadowCopy??\Misc\

    Problem solved.