This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Process Exclusions questions

Hello Everyone,

 

We have recently upgraded our Enterprise Console to version 5.5.1, which supports process exclusions.

I cannot find much info about possible limitations on these exclusions (I have read KB128185 & the "Help" section in EC). Does anyone know :

  • Is there any exclusion limit ? (e.g max 40)
  • Is there a length limit of process names ?
  • How do you specify a process such as "name.exe*32" (as the wildcard * is recognized)
  • Has anyone tested it and does it work as expected ?

Thank you very much in advance !



This thread was automatically locked due to age.
Parents
  • Hello Jordi Argaillot,

    part of the information you are looking for is in the Information on Sophos Endpoint Security and Control 10.6.4.

    From your questions I'm not sure (no offence intended!) what you expect the exclusions to do and what they are for.

    • Why would someone want to exclude any considerable number of processes?
    • Guess it accommodates the OS limits
    • Please see the article. The *32 is an artefact, a Task Manager quirk. Process Monitor does not show it. And indeed * is a wildcard. BTW - although it seems convenient you should NEVER use something like *ProcessName*
    • Yes, as far as the tests are concerned. Never had to use it in production

    Christian

  • Hi Christian,

     

    Thanks for your reply !

    We actually just want to clarify product facts. There is no real scenario behind. Moreover, the old way (registry) to exclude processes had some limitations, so we want to be sure.

    As an example, Microsoft suggests to exclude many processes on Exchange servers, and some of these processes had too long names.

     

    If there is no official information, do you think I should open a support ticket ?

     

    Jordi

  • Hello Jordi,

    I've already too often said what I think about MS's suggestions/recommendations/whatever. Only so much - we haven't any process exclusions set.

    too long names
    too long for what? Ah, I see - there's a 500 character limit in SEC's Policy Editor (the local GUI doesn't have it). Exchange's program paths are that long? Anyway, you can use wildcards.

    [registry exclude] had some limitations
    which did you encounter? The (now withdrawn) kb article mentioned only process names, not paths - never checked what you can actually use.

    Guess the documentation regarding process exclusions is deliberately kept vague to not "encourage" their use. [:)]

    Just for others who read this thread: The effect of a Process Exclusion is that the on-access scan for any file that is opened/closed by this process is skipped. It's not exactly a good idea to both exclude the processes executable (or program directory) and configure a Process Exclusion.

    Christian 

Reply
  • Hello Jordi,

    I've already too often said what I think about MS's suggestions/recommendations/whatever. Only so much - we haven't any process exclusions set.

    too long names
    too long for what? Ah, I see - there's a 500 character limit in SEC's Policy Editor (the local GUI doesn't have it). Exchange's program paths are that long? Anyway, you can use wildcards.

    [registry exclude] had some limitations
    which did you encounter? The (now withdrawn) kb article mentioned only process names, not paths - never checked what you can actually use.

    Guess the documentation regarding process exclusions is deliberately kept vague to not "encourage" their use. [:)]

    Just for others who read this thread: The effect of a Process Exclusion is that the on-access scan for any file that is opened/closed by this process is skipped. It's not exactly a good idea to both exclude the processes executable (or program directory) and configure a Process Exclusion.

    Christian 

Children
No Data