This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows Exclusion Question Revisited

Hi,

I saw this question in the discussion group and thought I would try to glean more information on this topic.  I am totally new to this and have been searching and reading all I can concerning Windows exclusions and on-access exclusions.  The more I read the more I am not sure how to create an exclusion list that is correct.  In the question I read about, some things became clear, but for me I still feel unsure of some of the proper format.

One question I had was answered about what Microsoft puts in there exclusions such as

%windir%\SoftwareDistribution\Datastore\Logs\Res*.log

should be like this

C:\Windows\SoftwareDistribution\Datastore\Logs\Res????????????????.log 

Light switched on.

In our current list I see it exactly as Microsoft lists them.  So I guess my questions do you need to disregard the way that Microsoft lists their exclusions (it is reference) or what is accepted and change to the below examples.

%ProgramFiles%\ should be \Program Files\ , %windir% should be \windows\ , %SYSTEMROOT% should be  c:\windows\ , %SYSTEMDRIVE%  should be C: , etc.

So if our current exclusion list is exactly like Microsoft suggest, does that mean that it is a waste of exclusions (the above examples).  They do not work. 

I see this in our Windows exclusion list:  C:\%systemroot%\System32\DNS\  -  confusion sets in.  Is this correct or should it be C:\windows\system32\DNS\

I also read about SQL process exclusions may not be necessary and should be tested.  Our company has a lot of instances in SQL and I was very concerned about creating a list that excludes all these instances processes.  This would be a great weight off of me if this is not a something that may not make a difference and will not need to be used.

Another question, I have so many!

Once you have created your Server windows exclusion list do you put it in exactly the same way in the on-access exclusion list?

Some of our Vendors are very precise in how to apply exclusions, ex. \program files\folder\ or filename.exe,  filename.bak - which I find very helpful.

I am working in the dark and need some guidance so I can create a useful productive list.

Any help is most appreciated and I am extremely grateful for some of the time that it takes to put in to help someone like me out. 

Thanks.......  :)

 



This thread was automatically locked due to age.
Parents
  • Hello Gayla,

    does that mean that it is a waste of exclusions [???]
    it means that you seem to be fine without them. This is a controversial topic, indeed Microsoft have over the years changed the wording of their articles making it sound less like a requirement. Indeed we do without any of these "standard" file system exclusions and haven't even considered process exclusions. My personal opinion is, if you don't have problems don't exclude.

    If you are talking about SEC as opposed to Cloud Server: You can't use environment variables, there is no process exclusion (except with a registry hack).  

    Christian

  • Hi Christian,

    Thanks for your response and your correct we are using SEC.  So in reading your reply it seems that in reality the exclusions we have in place aren't really being excluded because they are in the form of environment variables.  As far as process exclusions, your not using them on your instances of SQL?  No performance issues?

    Appreciate your knowledge and input.

    Cheers,

  • Hello Gayla,

    aren't excluded, correct. "%" is, BTW, a valid character in a file name.

    No issues with SQL, we don't max it out - though we're also restrictive with VM sizing.

    Christian

  • Thanks for the info on %, I found that _ and $ signs were but did not know that % was accepted as well.  Good to know and again thanks for your help.

    Cheers,
    Gayla

  • Can I please ask for a clarification?

    The recommended exclusion lists provided by Micrrosoft that the Sophos article https://www.sophos.com/en-us/support/knowledgebase/35970.aspx points us to aren't neccessary?

    And anyway if you try to enter them as shown, SEC does not accept the * wildcard as part of the filename or extension - only as the whole filename or extension. The ? wildcard has to be used instead.

    Does the wildcard ? represent a single character or multiple characters? I always understood filename??.* to match/exclude filename03.txt but not filename031.txt, meaning that you have to enter a lot of ??? variations to cover all length variations of a filename. Big pain...

    Regards, Keith

Reply
  • Can I please ask for a clarification?

    The recommended exclusion lists provided by Micrrosoft that the Sophos article https://www.sophos.com/en-us/support/knowledgebase/35970.aspx points us to aren't neccessary?

    And anyway if you try to enter them as shown, SEC does not accept the * wildcard as part of the filename or extension - only as the whole filename or extension. The ? wildcard has to be used instead.

    Does the wildcard ? represent a single character or multiple characters? I always understood filename??.* to match/exclude filename03.txt but not filename031.txt, meaning that you have to enter a lot of ??? variations to cover all length variations of a filename. Big pain...

    Regards, Keith

Children
  • Hello Keith,

    disclaimer: I'm not Sophos.
    I think the Sophos documentation is (at least w/r to the wildcards) quite clear. you have to enter a lot of ??? - correct. Not discussing the rationale.

    As to the "recommended" - please note the wording of the Sophos article (as recommended by the vendor). Read through e.g. the Microsoft articles and you'll see why Sophos doesn't re-publish their contents. Apart from some boilerplate sentences (there's the somewhat curious term memory-resident) there's no consistent diction (even within one article, in the one for Exchange there's [...] two types of file-level scanners [...] Memory-resident file-level scanning [...] On-demand file-level scanning. Later there's make sure that the appropriate exclusions [...] are in place for both memory-resident and file-level scanning.  [*-)] huh?). I also miss a concise glossary. The common parts too lack IMO clarity (what means scanning of processes in Many file-level scanners now support the scanning of processes, which can adversely affect Microsoft Exchange if the incorrect processes are scanned)?
    If the articles don't actually address issues and troubleshooting (some do, i.e. the suggested exclusions are not pre-reqs) they still are in effect vague and ambiguous despite some explicit phrases. From Hardening the Hyper-V Host[using anti-malware] is not recommended [...] if you need to run [...] for regulatory compliance or other (ed: other ? what other ?)reasons, we require [to exclude] the program files vmms.exe and vmwp.exe. [otherwise] you might encounter errors
    And they baffle you with tautology (I like this one): By keeping the management operating system free of applications and running a Windows Server 2008 core installation, you will need fewer updates to the management operating system because nothing requires software updates except the Server Core installation, the Hyper-V service components, and the hypervisor. They could have stopped before because, couldn't they?

    The bottom line is it's you who has to decide. In the language of the articles I just say - you might not need any exclusions but they could be necessary if you encounter issues. [:)]. 

    Christian