Sophos Linux: /dev is included in on-access scanning. How does Sophos ensure that it doesn't scan all the devices?

The files in /dev have a direct relationship to devices, how does Sophos ensure that the device isn't scanned when a file is opened or closed?

  • Hello Support Solvinity,

    I'm not sure I understand what you mean by how does Sophos ensure that the device isn't scanned. or that it doesn't scan all the devices.
    Even though the Configuration Guide says: By default, no filesystem types are excluded there's a long list of unsupported filesystems.

    BTW: Are you referring to the free or a licensed version (not that it makes a difference I just want to move this question to the appropriate forum - this one is about the Support Portal).

    Christian

  • Hello,

    We have a licensed version. It might be indeed in the wrong block but thanks for the response nevertheless.

    Actually the question is more general about how Sophos would handle the special folders on Linux when these are not excluded from on-access scanning. /proc, /sys and /dev are all interesting from this perspective but I struggle to find any explanation on how these folders are scanned in a way that prevents performance degradation.

  • Hello Support Solvinity,

    I've assumed you don't use  Central  but an on-premise license.
    On-access never scans folders/directories only an individual file when it gets a notification of an event. A  file to be scanned  is not   everything that can be accessed via a path . It's up to an application for which filesystems/mounts it wants to receive events. Just because there is no (visible) exclusion this doesn't mean that /dev or /proc (or rather the plethora of virtual or pseudo filesystems) are actually monitored. Furthermore, whether a file is a regular file (that can be scanned) or something else (for which scanning makes no sense) can easily be determined.  

    Christian    

  • Thanks for the comments Christian! You are right of course in stating that the fact that there aren't exclusions doesn't mean that they are scanned - but it also isn't proof that they aren't. I'll ask Sophos support to give me a definitive answer. 

  • Hello Support Solvinity,

    I'd ask Slight smile

    Christian

  • /proc is excluded because it is a pseudo filesystem type, that is on the skip list in Talpa.

    For Device Files in e.g. /dev I can't remember quite where they are excluded, but they are different from regular files, so aren't scanned.

    In neither case are path-based exclusions required to prevent scanning.

  • Thanks for the explanation Douglas! Just curious, are you running Sophos (or have you been) without exclusions?