Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 2 subscribers
  • Views 3710 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Excluding a Process - 2 part Question

Navar Holmes

Part one:

As we all know, sometimes you just have to exclude a process.

Sophos states "Processes can only be excluded by specifying a full path"

Is there any way of getting around this, like using **\frogs\frogs.exe or **\frogs.exe

In other Enterprise AV solutions you can just use the process name.

 

Part two:

If you exclude the folder that the process runs from does this exclude the process?



This thread was automatically locked due to age.
Parents
  • 0

    Hi Navar,

    Thank you for posting your query on our Community forum. Can you please confirm if you are referring to exclusion of processes from scanning on Sophos Central endpoints? If yes, then it is NOT mandatory to use the full path, however is recommended to do so as mentioned here.

    Excluding the process results in exclusion of the process and the files that are used by that process during its usage by that excluded process only. However a folder exclusion can only exclude the files including process files (.exe perhaps) which shall be allowed to run, however, when the excluded file(process) tries to access file(s) that is/are not excluded, those files are scanned by the AV. Hope this helps!

    Regards,

    Adithyan Thangaraj
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Adithyan Thangaraj

    So on-site SEC has the restriction of having to use the full file path for the process?

    C:\Program Files\Frogs\Green\frogs.exe

    C:\Program Files\Frogs\Blue\frogs.exe

    Using Central has the option of just using the process name?

    **\frogs.exe

     

    So if I just exclude folder C:\Program Files\Frogs\

    Then all files and processes are excluded from AV scanning that are in the folder.

     

    So then if I exclude file type:  *.xyz and *.123 which are in C:\bugs\ and E:\food\

    When frogs.exe runs and access these files types.

    Neither process frogs.exe or *.xyz or *.123 will be scanned by AV?

     

    If this is all true then we will need to re-think about going to Central, but as of right now we cant because Central doesn't meet HIPAA requirements and Sophos is refusing to sign a BAA.

    The HIPAA issue is when Sophos scans it records the path and file name which can include Protect Health Information (PHI).  Example:  C:\patients\VIPs\BuggySBunny.docx

    Sophos has recorded that Mr. Buggy's Bunny was a patient.  PHI.

  • 0 in reply to Navar Holmes

    Hi  ,

    Thank you for your kind response.

    Navar Holmes said:
    So on-site SEC has the restriction of having to use the full file path for the process?

    The on-site SEC version works the exact same way as the Central managed endpoints and policies work. Apologies for the ambiguity. It is "recommended" to use the full path, however, usage of wildcards should not be a problem here.

    Also, kindly please find linked our HIPAA reference card for your kind reference.

    Regards,

    Adithyan Thangaraj
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Reply Children
  • 0 in reply to Adithyan Thangaraj

    I need to clarify when I stated that Sophos doesn't meet HIPAA requirements.

    All of the Sophos products do help with meeting HIPAA requirements.

    Seeing how Sophos wont sign a BAA we can meet HIPAA requirements and this is because Sophos stores and records HIPAA data in the form of log files and when an application stores and records HIPAA data there is a HIPAA responsibility to safeguard that data.  It is the storing and recording part.  All of this only relates to Sophos cloud based solutions.  When hosted on-site we have complete control over who has access to the log files.

    Because we are a Hospital we have to play by the HIPAA rules and requirements.  Signing a BAA helps with enforcing that a vendor is following the rules and requirements of HIPAA.

    Health Insurance Portability and Accountability Act of 1996 is United States legislation that provides data privacy and security provisions for safeguarding medical information.

     

    I will say that many cloud based solutions (vendors) struggle with HIPAA requirements and signing BAAs. 

Unfiltered HTML