Does the scan any files without extensions override the exclusions?
This thread was automatically locked due to age.
Does the scan any files without extensions override the exclusions?
Hello JimmyLininger,
first of all, an exclusion is an exclusion - if there's a match the file isn't scanned.
I'm not sure I understand you correctly, you mean if you check Scan files without extension? BTW - please note that there are settings for On-Access scanning and on-demand scans and they are independent. Whatever the settings they don't override exclusions. Furthermore a file without extension is special only insofar as Windows doesn't associate any actions with it.
Could you perhaps add some detail what your concerns or issues are?
Christian
Hello JimmyLininger,
first of all, an exclusion is an exclusion - if there's a match the file isn't scanned.
I'm not sure I understand you correctly, you mean if you check Scan files without extension? BTW - please note that there are settings for On-Access scanning and on-demand scans and they are independent. Whatever the settings they don't override exclusions. Furthermore a file without extension is special only insofar as Windows doesn't associate any actions with it.
Could you perhaps add some detail what your concerns or issues are?
Christian
Hello so here is what i have. i have several drives all these drives are in the exclusion list, how ever sophos has quarantined several files from within these drives. All these files have no extensions. That is the only thing i can see that would cause sophos to even be scanning n anything from with in these drives. If what you say is correct then sophos should not even be scanning theses drives however this is incorrect. So something is overriding something in order for sohpos to be quarantining these files.
Hello JimmyLininger,
first of all, if something triggers a detection this shouldn't be dismissed lightly. Of course a quarantined file is not necessarily malicious.
As said, there are two sets of settings and therefore exclusions. If a drive is excluded in one but not the other this will cause "unexpected" detections. Could you please post some relevant lines from the AV log and your on-access and on-demand exclusions?
Christian
Christian,
trust me when i say these files are not malicious we know what these files are and they are proprietary. As for the on access and on demand. do you mean from the enterprise console or form a client machine? And i apologize where would i get relevant logs?
Hello JimmyLininger,
if you suspect or are sure of a false positive it's a good idea to send a sample - whether something popular, third-party, or in-house. Detections will, except for pathological cases, be amended - I've done this more than once.
The relevant log is accessible via the GUI or %ProgramData%\Sophos\Sophos Anti-Virus\Logs\. SAV.txt is the current log, other are archived from the preceding months. I've never seen a case where the location in the log matched an exclusion (so for example you can exclude a virtual drive but will get a detection on the drive where the file actually resides). That's why I'm interested (but I'm not Sophos) in the logs and ideally the exclusions.
Christian
Ok i will look at sending in a sample . But i have log that shows where it scanned a drive that is in the exclusion list. Sohps support has not been much help since i opened a case with them a week ago got assigned an engineer and thats all i have heard
Hello JimmyLininger,
can't and won't comment on Support.
It's up to you to post logs and configuration data on a public forum. Without it I can only say that I've always seen that Exclusions behave as they should - that is, no other setting overrides them. If an excluded file is unexpectedly scanned then because an alternate path is (also) presented to the driver but then the log shows the path used for scanning. Let's say you've somehow put eicar.com into C:\DoNotScan, then SUBST N: C:\DoNotScan, exclude the N: drive and access N:\eicar.com you'll nevertheless get a detection as the open is actually requested (and intercepted) on the C: path and this path is also shown in the log.
On second thoughts - might be that some newfangled part of HIPS/Live Protection makes its own decisions if it thinks it smells something fishy.
Christian