On-Premise Endpoint

Sophos Endpoint Software Exclude Process, the regkey still working ?

On-Premise Endpoint requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 7 replies
Subscribers 5 subscribers
Views 12378 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exclude Process, the regkey still working ?

SylvainJEANNE over 8 years ago

Hi,

I saw on other topics that we can exclude process for the realtime scan (many like https://community.sophos.com/products/endpoint-security-control/f/3/p/4011/9339)
.

I tried to do the same, with 2 basics process : notepad.exe and savtst32.exe

But it still scanning :(

Here, my regkey :

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVOnAccess]
"ExcludedProcess0"="notepad.exe"
"ExcludedProcess1"="savtst32.exe"

Context : Sophos Endpoint Security and Control, version 10.6.3.537

Have you an idea plz?

This thread was automatically locked due to age.

Parents

0 SylvainJEANNE over 8 years ago

Even if I added, in the SAV UI, savtst32.exe, it generated an alert for the EICAR test.

Why delete functions (for the regkey exclusion) if the new-one dunt work...
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 SylvainJEANNE over 8 years ago

Even if I added, in the SAV UI, savtst32.exe, it generated an alert for the EICAR test.

Why delete functions (for the regkey exclusion) if the new-one dunt work...
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 ThomasScholz over 8 years ago in reply to SylvainJEANNE

Hi,

I've solved it for me for W2K8R2 (via registry) like this:

> Reboot is required (just "net stop/start savservice&savonaccess" is not enough)

> Process names must not be longer than 14 characters

However, as according to support this way (registry) does not work on W2012R2, which is true, I've tested it here via the SAV UI using the same rules as above. Unfortunately this does not work. Will open a support call again ...
Cancel
Vote Up 0 Vote Down

Cancel
0 ThomasScholz over 8 years ago in reply to ThomasScholz

Hi,

Support responded as follows:

In v10.6.3: process exclusions via GUI do not work at all. Will be fixed in v10.6.4

On W2K8R2 with v10.6.3: process exclusions via registry work

On W2012R2 with v10.6.3: process exclusions via registry do not work

All in all this is very unsatisfying. Especially because the registry method was somehow manageable whereas the GUI-way is not. Also, there is no option to manage this via Enterprise Console. Instead, local modifications will show such clients as "Different to policy". Thumbs down!
Cancel
Vote Up 0 Vote Down

Cancel