Exclude a subdirectory in each user’s home directory from scanning

Hello Sam Hocevar,

I assume \CacheDir contains many subfolders on several levels? The files having arbitrary extensions?

Christian

Yes, there are many subfolders with varying levels and names, unfortunately. The filenames however are mostly .exe, .dll, .elf and .pdb files if that may help us.

Hello Sam,

meanwhile I've found an old thread Wild cards in av exclusions (didn't think it's that old). Played around a lot then, can't remember the details.  Not sure why I had been confused about the matches first - perhaps it is that Folder\Name.Ext excludes Name.Ext in any folder whose name ends with Folder. But even if this were true it would unfortunately not help you.

Christian

Does the above work as might be useful for some things?

We have just raised a case due to problems with severe slowness with AV turned on and believe partly due to Notes being in use so were trying to add some extra exclusions in and spotted this thread.

We have a similar issue in that Lotus Notes client application installed in the recommended multi-user way from IBM ideally should have it's data directory excluded as it uses JAR files and many other databases files: www-01.ibm.com/.../docview.wss

We can exclude the fixed directories, and known file extensions but ideally need to exclude c:\users\username\appdata\local\lotus\notes\data for instance. The link above sounds promising possibly including data\*.???????????? but e.g. one directory picked at random is:

C:\Users\username\AppData\Local\Lotus\Notes\Data\workspace\.config\org.eclipse.osgi\bundles\212\1\.cp

i.e. many subdirs deep, and that one contains DLL's but others under the org.eclipse.osgi contain lots of different file types.

Is there really no way of saying to exclude a directory based on the current user, or with wild cards, e.g. *\lotus\notes\data\* and most importantly to say "include subdirs".

Also it is not entirely clear what the difference is (if there is one) between adding an exclusion to the Extensions for .XYZ and adding *.XYZ as a file to the exclusions list?

Steve

Hello Steve,

just for the record - these are just conclusions from experiments (and I don't actually use this fancy stuff). Also I don't have access to (Sophos) inside documentation and (re-)sources so (perhaps educated) guesses but nothing more.

Before commenting on the available exclusion patterns:
adding an exclusion to the Extensions for .XYZ and adding *.XYZ as a file
It's (perhaps deliberately) rather obscure but if you read carefully you'll note that in conjunction with extensions the term file types is used. Indeed this refers to types and not extensions. The default setting is Scan only executable and other vulnerable files. Whether a file belongs to this category is indeed determined by the extension (as this is what Windows uses to associate a file with a specific action or application). Thus if the famous EICAR testfile is named eicar.txt it's not detected. Subsequently the actual type is determined (the scanner has to be efficient and therefore uses a different strategy for, say, PE executables as opposed to PDF documents). Thus if you exclude PDF in the extensions tab the initial assessment will still be made for files with the .PDF extension and if it also contains a PDF it would be skipped, otherwise scanning would continue (for the other types).
OTOH a *.PDF exclusion would tell the scanner to ignore all files with this extension and leave them alone (similar to .txt for example).   

The exclusions are kept simple to be efficient: Either there's a match from the left (with or without a drive letter or \\server\share) or from the right (with simple patterns). 

Christian

Hello Steve,

just for the record - these are just conclusions from experiments (and I don't actually use this fancy stuff). Also I don't have access to (Sophos) inside documentation and (re-)sources so (perhaps educated) guesses but nothing more.

Before commenting on the available exclusion patterns:
adding an exclusion to the Extensions for .XYZ and adding *.XYZ as a file
It's (perhaps deliberately) rather obscure but if you read carefully you'll note that in conjunction with extensions the term file types is used. Indeed this refers to types and not extensions. The default setting is Scan only executable and other vulnerable files. Whether a file belongs to this category is indeed determined by the extension (as this is what Windows uses to associate a file with a specific action or application). Thus if the famous EICAR testfile is named eicar.txt it's not detected. Subsequently the actual type is determined (the scanner has to be efficient and therefore uses a different strategy for, say, PE executables as opposed to PDF documents). Thus if you exclude PDF in the extensions tab the initial assessment will still be made for files with the .PDF extension and if it also contains a PDF it would be skipped, otherwise scanning would continue (for the other types).
OTOH a *.PDF exclusion would tell the scanner to ignore all files with this extension and leave them alone (similar to .txt for example).   

The exclusions are kept simple to be efficient: Either there's a match from the left (with or without a drive letter or \\server\share) or from the right (with simple patterns). 

Christian

Thanks for the quick reply and explanation, sounds logical. We had some file types listed before through excluded files but have added more through both options this time and seems to have helped with speed and stability issues (though early days).


Steve

Hello Steve,

but have added more through both options
please excuse my nosiness - which types and extensions? As far as I can see (using Process Monitor) SavService seems to "see" indeed only the files with the configured (in the local GUI, Configure->On-access scanning->Extensions) "type extensions" (note that .COM is not on the list so ...). Thus you don't have to exclude, say, .APK (unless, of course, you have Scan all files checked).

As extension is overloaded in this context I'll use extension when referring to the name and type when referring to the contents. Normally extension and type match. Type comes into play e.g. when files without an extension are scanned. Thus a type exclusion can induce a significant risk even if you strictly control extensions. Question is, what causes the issues with speed and stability. I'd try to avoid excluding certain types and make the extension exclusions as specific as possible (NB - it seems that it is indeed possible to use a partial path).

Christian