Right Syntax for Exclude Windows Folders with Variables

Hello Stefan Haßlinger,

apparently you've read some threads here and missed others (typing variables and exclusions in the search field above should give you a number of relevant discussions). The help section in the console help is pretty clear (it doesn't mention the Folder\name.ext type though; BTW *.* is not valid) on the syntax. Variables are not supported.

My personal opinion is: If you don't have issues don't think about exclusions. Normally you don't need them and if it's mostly servers and their applications.

Christian

Hi Christian,

yes, i found a lot of threats and also watched into the help. I always readed "Not working with on-access" and so on.

Okay as eg. \Appdata\MyExcludedFolder\  should work, but there are so much folders (as i mentioned, those from vendors like MS) where

this kind of "exclusion syntax" is not really useful. As a easy understanding example, the %temp% Variable. Also the %userprofile%, same thing there.

I Can exclude \temp\ in Sophos, but the %temp% Variable must not have the "temp" letters in. Could also be something other.

I dont exclude in genereal, i want to exclude explicit, but i dont want to exclude like an insane you know :-)

So what is the "sophos world" using, for Exclusions like %appdata%\anything or %temp% or %userprofile%\something
 or %appdata%\AnInsaneCPUusingPlugin

?

Steve

Hello Steve,

so much folders
again, most of these exclusions are not required (not even for performance reasons) even less on a workstation. I'm wary of the IMO often rather indiscriminate "requirements" - as if the writers have no profound knowledge of AV scanners and their operation - that don't describe the actual reason for the requirement. Malware isn't a figment or a hype and I wonder why applications still aren't "scanner-friendly".

A decent on-access/real-time scanner intercepts (actually a driver does this) a file open (e.g. when a document is opened or an .exe is about to be run). Usually files (file types) which aren't likely to contain a threat are ignored. The file is then scanned and that's it (in case it has been scanned before and hasn't changed in the meantime it's not rescanned). Thus the actual impact is normally minimal. Admittedly the start-up time of an application which causes a number of "infectable" files (e.g. DLLs) to be opened will be noticeably increased - but once the applications run the scanner has no need to "interfere".
Coincidentally or not some of the areas to exclude are not infrequently the ones where threats set up camp - user's %TEMP% and %APPDATA% for example. i want to exclude explicit - quite reasonable, but consider the following: If %appdata%\AnInsaneCPUusingPlugin is customarily excluded - why should malware bother to create an arbitrary folder under %appdata% and employ various tricks to evade detection when it can with a certain probability safely settle in this plugin's folder?

Sophos Central (formerly Cloud) Server Protection offers predefined exclusions as well as the use of advanced exclusions - it's for servers though. On workstations I wouldn't assume I need to exclude this or that just because a vendor says so. As said, normally (general and office use) you don't need exclusions (one exception might be Java applications).

Christian
(Nachtrag: ich kann auch auf Deutsch diskutieren)

Hello Steve,

so much folders
again, most of these exclusions are not required (not even for performance reasons) even less on a workstation. I'm wary of the IMO often rather indiscriminate "requirements" - as if the writers have no profound knowledge of AV scanners and their operation - that don't describe the actual reason for the requirement. Malware isn't a figment or a hype and I wonder why applications still aren't "scanner-friendly".

A decent on-access/real-time scanner intercepts (actually a driver does this) a file open (e.g. when a document is opened or an .exe is about to be run). Usually files (file types) which aren't likely to contain a threat are ignored. The file is then scanned and that's it (in case it has been scanned before and hasn't changed in the meantime it's not rescanned). Thus the actual impact is normally minimal. Admittedly the start-up time of an application which causes a number of "infectable" files (e.g. DLLs) to be opened will be noticeably increased - but once the applications run the scanner has no need to "interfere".
Coincidentally or not some of the areas to exclude are not infrequently the ones where threats set up camp - user's %TEMP% and %APPDATA% for example. i want to exclude explicit - quite reasonable, but consider the following: If %appdata%\AnInsaneCPUusingPlugin is customarily excluded - why should malware bother to create an arbitrary folder under %appdata% and employ various tricks to evade detection when it can with a certain probability safely settle in this plugin's folder?

Sophos Central (formerly Cloud) Server Protection offers predefined exclusions as well as the use of advanced exclusions - it's for servers though. On workstations I wouldn't assume I need to exclude this or that just because a vendor says so. As said, normally (general and office use) you don't need exclusions (one exception might be Java applications).

Christian
(Nachtrag: ich kann auch auf Deutsch diskutieren)