Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 5 subscribers
  • Views 12380 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exclude Process, the regkey still working ?

SylvainJEANNE

Hi,


I saw on other topics that we can exclude process for the realtime scan (many like https://community.sophos.com/products/endpoint-security-control/f/3/p/4011/9339)
.

I tried to do the same, with 2 basics process : notepad.exe and savtst32.exe

But it still scanning :(

Here, my regkey :

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVOnAccess]
"ExcludedProcess0"="notepad.exe"
"ExcludedProcess1"="savtst32.exe"

Context : Sophos Endpoint Security and Control, version 10.6.3.537

Have you an idea plz?



This thread was automatically locked due to age.
  • 0

    I think you can make process exclusions in the SAV UI as of 10.6.3. Isn't process a new entry in the drop down? It doesn't set the registry keys but in the config file.

    The registry key should still work.  The driver has to be reloaded to read the keys, so either restart or do:


    net stop savservice

    net stop savonaccess

    net start savonaccess

    net start savservice

    You can certainly do them with Central managed server.



    Regards,
    Jak

  • 0 in reply to jak

    I'm experiencing the same issue (with 10-6-3-VE3-64-3). New process exclusions via registry do not work (tested incl. reboot). The same for new process exclusions via the new drop-down in SAV UI (tested with net stop/start savservice&savonaccess only). I am not yet sure if existing exclusions via registry still work or not (as my backup jobs do not show a significant droip in performance)

    Regards

    Thomas

  • 0 in reply to ThomasScholz

    Hello all,

    on-premise SESC honours the values (both Value Name and Data are case sensitive), no drop-down (tested and seen on Win7 and W2k8). @Thomas: are you using the On-Premise or the Cloud product?

    Christian

  • 0 in reply to QC

    Hi,

    I am using the on-premise product (Enterprise Console v5.3.1). And yes, all registry entries are case-sensitive.

    BTW: I have opened a support call for this issue


    Regards

    Thomas

  • 0

    Even if I added, in the SAV UI, savtst32.exe, it generated an alert for the EICAR test.

    Why delete functions (for the regkey exclusion) if the new-one dunt work...

  • 0 in reply to SylvainJEANNE

    Hi,


    I've solved it for me for W2K8R2 (via registry) like this:

    > Reboot is required (just "net stop/start savservice&savonaccess" is not enough)

    > Process names must not be longer than 14 characters

    However, as according to support this way (registry) does not work on W2012R2, which is true, I've tested it here via the SAV UI using the same rules as above. Unfortunately this does not work. Will open a support call again ...

  • 0 in reply to ThomasScholz

    Hi,


    Support responded as follows:

    In v10.6.3: process exclusions via GUI do not work at all. Will be fixed in v10.6.4

    On W2K8R2 with v10.6.3: process exclusions via registry work

    On W2012R2 with v10.6.3: process exclusions via registry do not work

    All in all this is very unsatisfying. Especially because the registry method was somehow manageable whereas the GUI-way is not. Also, there is no option to manage this via Enterprise Console. Instead, local modifications will show such clients as "Different to policy". Thumbs down!

Unfiltered HTML