Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 3 subscribers
  • Views 20590 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exclude a subdirectory in each user’s home directory from scanning

SamHocevar

Our local network users run an in-house application that downloads application builds (typically several gigabytes of executables and DLLs) to the user’s %AppData%\CacheDir directory. We use the Bittorrent protocol to speed up deployment over the LAN. However the Sophos scanner renders the performance abysmal; downloads are about 20 to 50 times slower when it’s active. I suppose this is caused by the files being changed regularly as new chunks are being downloaded, which is understandable behaviour from a virus scanner, but also the expected behaviour of a Bittorrent client.

Both our application and the binaries it downloads can be fully trusted, and we must absolutely avoid the overhead described above.

I could not find a way to exclude each user’s %AppData%\CacheDir directory and its subdirectories from scanning (except by adding the same line dozens of times, for each user, and maintaining the list each time we hire a new person…) . I understand that environment variables are not supported (and that the service can’t really evaluate them anyway). However we’re faced with this problem where the antivirus is just preventing everyone from working properly, and so far the only practical solution we’ve found is to exclude C:\Users from scanning (which kinda defeats the purpose of having a scanner at all).

Any suggestion on how to bypass the limitations?



This thread was automatically locked due to age.
Parents
  • 0

    Hello Sam Hocevar,

    I assume \CacheDir contains many subfolders on several levels? The files having arbitrary extensions?

    Christian

  • 0 in reply to QC
    Yes, there are many subfolders with varying levels and names, unfortunately. The filenames however are mostly .exe, .dll, .elf and .pdb files if that may help us.
  • 0 in reply to SamHocevar

    Hello Sam,

    meanwhile I've found an old thread Wild cards in av exclusions (didn't think it's that old). Played around a lot then, can't remember the details.  Not sure why I had been confused about the matches first - perhaps it is that Folder\Name.Ext excludes Name.Ext in any folder whose name ends with Folder. But even if this were true it would unfortunately not help you.

    Christian

  • 0 in reply to QC
    Does the above work as might be useful for some things?

    We have just raised a case due to problems with severe slowness with AV turned on and believe partly due to Notes being in use so were trying to add some extra exclusions in and spotted this thread.

    We have a similar issue in that Lotus Notes client application installed in the recommended multi-user way from IBM ideally should have it's data directory excluded as it uses JAR files and many other databases files: www-01.ibm.com/.../docview.wss

    We can exclude the fixed directories, and known file extensions but ideally need to exclude c:\users\username\appdata\local\lotus\notes\data for instance. The link above sounds promising possibly including data\*.???????????? but e.g. one directory picked at random is:

    C:\Users\username\AppData\Local\Lotus\Notes\Data\workspace\.config\org.eclipse.osgi\bundles\212\1\.cp

    i.e. many subdirs deep, and that one contains DLL's but others under the org.eclipse.osgi contain lots of different file types.

    Is there really no way of saying to exclude a directory based on the current user, or with wild cards, e.g. *\lotus\notes\data\* and most importantly to say "include subdirs".

    Also it is not entirely clear what the difference is (if there is one) between adding an exclusion to the Extensions for .XYZ and adding *.XYZ as a file to the exclusions list?

    Steve
Reply
  • 0 in reply to QC
    Does the above work as might be useful for some things?

    We have just raised a case due to problems with severe slowness with AV turned on and believe partly due to Notes being in use so were trying to add some extra exclusions in and spotted this thread.

    We have a similar issue in that Lotus Notes client application installed in the recommended multi-user way from IBM ideally should have it's data directory excluded as it uses JAR files and many other databases files: www-01.ibm.com/.../docview.wss

    We can exclude the fixed directories, and known file extensions but ideally need to exclude c:\users\username\appdata\local\lotus\notes\data for instance. The link above sounds promising possibly including data\*.???????????? but e.g. one directory picked at random is:

    C:\Users\username\AppData\Local\Lotus\Notes\Data\workspace\.config\org.eclipse.osgi\bundles\212\1\.cp

    i.e. many subdirs deep, and that one contains DLL's but others under the org.eclipse.osgi contain lots of different file types.

    Is there really no way of saying to exclude a directory based on the current user, or with wild cards, e.g. *\lotus\notes\data\* and most importantly to say "include subdirs".

    Also it is not entirely clear what the difference is (if there is one) between adding an exclusion to the Extensions for .XYZ and adding *.XYZ as a file to the exclusions list?

    Steve
Children
  • 0 in reply to SteveKnight

    Hello Steve,

    just for the record - these are just conclusions from experiments (and I don't actually use this fancy stuff). Also I don't have access to (Sophos) inside documentation and (re-)sources so (perhaps educated) guesses but nothing more.

    Before commenting on the available exclusion patterns:
    adding an exclusion to the Extensions for .XYZ and adding *.XYZ as a file
    It's (perhaps deliberately) rather obscure but if you read carefully you'll note that in conjunction with extensions the term file types is used. Indeed this refers to types and not extensions. The default setting is Scan only executable and other vulnerable files. Whether a file belongs to this category is indeed determined by the extension (as this is what Windows uses to associate a file with a specific action or application). Thus if the famous EICAR testfile is named eicar.txt it's not detected. Subsequently the actual type is determined (the scanner has to be efficient and therefore uses a different strategy for, say, PE executables as opposed to PDF documents). Thus if you exclude PDF in the extensions tab the initial assessment will still be made for files with the .PDF extension and if it also contains a PDF it would be skipped, otherwise scanning would continue (for the other types).
    OTOH a *.PDF exclusion would tell the scanner to ignore all files with this extension and leave them alone (similar to .txt for example).   

    The exclusions are kept simple to be efficient: Either there's a match from the left (with or without a drive letter or \\server\share) or from the right (with simple patterns). 

    Christian

  • 0 in reply to QC
    Thanks for the quick reply and explanation, sounds logical. We had some file types listed before through excluded files but have added more through both options this time and seems to have helped with speed and stability issues (though early days).


    Steve
  • 0 in reply to SteveKnight

    Hello Steve,

    but have added more through both options
    please excuse my nosiness - which types and extensions? As far as I can see (using Process Monitor) SavService seems to "see" indeed only the files with the configured (in the local GUI, Configure->On-access scanning->Extensions) "type extensions" (note that .COM is not on the list so ...). Thus you don't have to exclude, say, .APK (unless, of course, you have Scan all files checked).

    As extension is overloaded in this context I'll use extension when referring to the name and type when referring to the contents. Normally extension and type match. Type comes into play e.g. when files without an extension are scanned. Thus a type exclusion can induce a significant risk even if you strictly control extensions. Question is, what causes the issues with speed and stability. I'd try to avoid excluding certain types and make the extension exclusions as specific as possible (NB - it seems that it is indeed possible to use a partial path).

    Christian 

Unfiltered HTML