This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Excluding a Process - 2 part Question

Part one:

As we all know, sometimes you just have to exclude a process.

Sophos states "Processes can only be excluded by specifying a full path"

Is there any way of getting around this, like using **\frogs\frogs.exe or **\frogs.exe

In other Enterprise AV solutions you can just use the process name.

 

Part two:

If you exclude the folder that the process runs from does this exclude the process?



This thread was automatically locked due to age.
Parents
  • Hi Navar,

    Thank you for posting your query on our Community forum. Can you please confirm if you are referring to exclusion of processes from scanning on Sophos Central endpoints? If yes, then it is NOT mandatory to use the full path, however is recommended to do so as mentioned here.

    Excluding the process results in exclusion of the process and the files that are used by that process during its usage by that excluded process only. However a folder exclusion can only exclude the files including process files (.exe perhaps) which shall be allowed to run, however, when the excluded file(process) tries to access file(s) that is/are not excluded, those files are scanned by the AV. Hope this helps!

    Regards,

    Adithyan Thangaraj
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • So on-site SEC has the restriction of having to use the full file path for the process?

    C:\Program Files\Frogs\Green\frogs.exe

    C:\Program Files\Frogs\Blue\frogs.exe

    Using Central has the option of just using the process name?

    **\frogs.exe

     

    So if I just exclude folder C:\Program Files\Frogs\

    Then all files and processes are excluded from AV scanning that are in the folder.

     

    So then if I exclude file type:  *.xyz and *.123 which are in C:\bugs\ and E:\food\

    When frogs.exe runs and access these files types.

    Neither process frogs.exe or *.xyz or *.123 will be scanned by AV?

     

    If this is all true then we will need to re-think about going to Central, but as of right now we cant because Central doesn't meet HIPAA requirements and Sophos is refusing to sign a BAA.

    The HIPAA issue is when Sophos scans it records the path and file name which can include Protect Health Information (PHI).  Example:  C:\patients\VIPs\BuggySBunny.docx

    Sophos has recorded that Mr. Buggy's Bunny was a patient.  PHI.

  • Hi  ,

    Thank you for your kind response.

    Navar Holmes said:
    So on-site SEC has the restriction of having to use the full file path for the process?

    The on-site SEC version works the exact same way as the Central managed endpoints and policies work. Apologies for the ambiguity. It is "recommended" to use the full path, however, usage of wildcards should not be a problem here.

    Also, kindly please find linked our HIPAA reference card for your kind reference.

    Regards,

    Adithyan Thangaraj
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hello ,

    I'm not sure if it's already completely clear - so please excuse my chiming in. Furthermore I'm not sure I understand Adithyan Thangaraj's first reply correctly (emphasis mine): Excluding the process results in exclusion of the process and the files that are used by that process. AFAIK an excluded processes file (e.g. frogs.exe) is scanned whether the process is excluded or not. exclusion of the process definitely doesn't apply to EXP (HitmanPro.Alert)/Intercept X. Leaves BOPS, HIPS, and MTD - the latter is subject to the On-Access exclusions and I assume this is true for the other two as well (BTW, Data Control/DLP will under certain conditions honour On-Access exclusions).

    A process exclusion is something different. It excludes files from On-Access scanning when the excluded process accesses them.

    on-site SEC has the restriction of having to use the full file path
    nope, it hasn't - just try it. There's the savtsts32.exe utility in the \sec_5xx\tools\ directory you can use to test the effect of your exclusions (you can specify an arbitrary location and filename from its Drive menu). Please note that it's strongly recommended to use the full path or be as specific as possible. You'll likely not want that a rogue frogs.exe process running from a user's temp location has the process exclusion applied. Furthermore, process exclusions are dynamic meaning the are in effect as soon as they are set. We are all grown-ups but I nevertheless stress don't try this at home: *.* as Process Exclusion effectively turns off On-Access scanning immediately.

    So if I just exclude folder
    Folder, File, and Drive as well as All remote files (and Extensions on their own tab) always exclude the applicable files from scanning - I'd not use the term process in this context as it is misleading.

    if I exclude file type
    I'd also not use type as it in Sophos' context often refers to the TFT (True File Type), i.e. a file's actual "nature". You could call a VBScript Script File ThisIsAScript.xyz, with xyz being its extension. I know, the associated column in Explorer is labeled Type, and .xyz wouldn't be run automatically. Neverhteless it can successfully be run using cscript //E:VBS ThisIsAScript.xyz.
    But I digress.
    When frogs.exe runs
    neither *.xyz nor *.123 will be scanned, but this would also be the case when some other process accesses them or when the \Frogs\ folder isn't excluded.
    If OTOH, you exclude the process frogs.exe the file exclusions are redundant.

    Christian

  • Trying to understand the relationships between file extension exclusions, folder exclusions and process exclusion is always a challenge.  And even harder to make sure you meet the requirements with out leave a gaping hole.

     

    Adithyan,

    Are you saying that Sophos is wrong in their requirements for excluding processes?  Just wanting clarifications.  

    When I go to Windows Exclusions and Add.  I get this message in the windows. "You can exclude local drives, folders, files and processes.  You can use the wildcards ? and * for drives, folders and files.  Processes can only be excluded by specifying a full path."

     

    I completely agree with being careful with rogue frogs.exe processes when using *\frogs.exe.  For my case with process frogs.exe I could use parts of the folder structure to lessen the possibility of a rogue frogs.exe?  YES? NO?

    Examples:  *\blue\app\frogs.exe,  *\green\app\frogs.exe,  *\brown\app\frogs.exe

     

    More clarifications.  Right/Wrong?

    If there is no exclusions

    *.xyz is scanned when frogs.exe (or any process) accesses it or touched by anything?

    Process frogs.exe is also scanned?

     

    *.xyz is excluded so is never scanned?

    Process frogs.exe is scanned when accessing *.xyz but not *.xyz?

     

    Process frogs.exe is the only exclusion and is not scanned and the files it accesses are not scanned?

     

    Excluding a folder only excludes all the files in it when accessed?

    Excluding a folder that contains frogs.exe doesn't exclude it when it runs as a process?

     

Reply
  • Trying to understand the relationships between file extension exclusions, folder exclusions and process exclusion is always a challenge.  And even harder to make sure you meet the requirements with out leave a gaping hole.

     

    Adithyan,

    Are you saying that Sophos is wrong in their requirements for excluding processes?  Just wanting clarifications.  

    When I go to Windows Exclusions and Add.  I get this message in the windows. "You can exclude local drives, folders, files and processes.  You can use the wildcards ? and * for drives, folders and files.  Processes can only be excluded by specifying a full path."

     

    I completely agree with being careful with rogue frogs.exe processes when using *\frogs.exe.  For my case with process frogs.exe I could use parts of the folder structure to lessen the possibility of a rogue frogs.exe?  YES? NO?

    Examples:  *\blue\app\frogs.exe,  *\green\app\frogs.exe,  *\brown\app\frogs.exe

     

    More clarifications.  Right/Wrong?

    If there is no exclusions

    *.xyz is scanned when frogs.exe (or any process) accesses it or touched by anything?

    Process frogs.exe is also scanned?

     

    *.xyz is excluded so is never scanned?

    Process frogs.exe is scanned when accessing *.xyz but not *.xyz?

     

    Process frogs.exe is the only exclusion and is not scanned and the files it accesses are not scanned?

     

    Excluding a folder only excludes all the files in it when accessed?

    Excluding a folder that contains frogs.exe doesn't exclude it when it runs as a process?

     

Children
  • Hello Navar Holmes,

    the relationships between file extension exclusions, folder exclusions and process exclusion
    I wonder if you have read my post (well, you aren't required to do so). You are, no offence meant, imagining a complexity where there is none.

    1. The Extensions tab: Is somewhat arcane when you edit a policy with the console. There's a list of extensions that includes file types that we recommend are scanned. If you Exclude ... an extension (e.g. PDF) with the console or use Remove in the local GUI files with this extension aren't scanned (it is equivalent to the file exclusion *.PDF)
    2. The Exclusions tab, Drives, Folders, Files: A file whose fully qualified path name (starting with drive/server, ending with extension) matches one of these exclusions is not scanned
    3. The Exclusions tab, Processes: When a file is access by a process whose name matches a process exclusion it is not scanned

    There is no relationship between those three, at best they overlap. Please note that in case you Add and extension but one of the exclusions matches the exclusion wins.

    Process frogs.exe is scanned when ...
    A (running) process is not scanned. Its image on disk is, subject to a drive/folder/file exclusion, scanned before execution. Subsequent files accesses have no consequences regarding the running process or its image on disk.

    Process frogs.exe is the only exclusion and is not scanned and the files it accesses are not scanned?
    Unless there is some drive/folder/file exclusion that excludes the frogs.exe image on disk the image is scanned before execution, the files it accesses are not.

    Excluding a folder only excludes all the files in it when accessed? Excluding a folder that contains frogs.exe doesn't exclude it when it runs as a process?
    Correct. Although instead of doesn't exclude it I'd phrase it doesn't imply a process exclusion.

    Sophos is wrong in their requirements
    The inscription is (likely deliberately) wrong. But I don't see a real problem with this as it does not affect functionality. Exclusions should always be as specific as - if not possible then at least - feasible. The number of process exclusions should be very small, it's a one-time effort that should be exercised with care, and thus the requirement to specify the full path, even if "wrong", is not unreasonable.

    I could use parts of the folder structure to lessen the possibility of a rogue frogs.exe?
    Yes, though typing a few more characters is not a Herculean task. Anyway it's definitely better than no path at all.

    Christian