SEC 5.5.0 Folder exclusions not pushed out to Servers

Hello Brown-Bear,

just to make sure, do the servers show Same as policy for Policy compliance?
I'm a little bit confused, first you say setup various anti-virus on demand scanning folder exclusions and later selected to configure "On Access Scanning" (emphases mine) - so where/how do you check the various Servers? Guess exclusions won't reveal any secrets so could you provide a screenshot of the exclusions in the policy and another one of the check on one of the servers?

Christian

Thanks Christian,

Sorry let me clarify. Under "Anti-virus and Hips" I have created a Server group with a number of Servers in it. 

When I view edit this policy and select configure beside on-access scanning ...in windows exclusions I have added in a number of folder exclusions and files that I don't want scanned.

When I go to any of the Servers that the policy applies to they don't have the new exclusions I added even after a reboot. They show "Same as policy" with regard to compliance.

Hello Brown-Bear,

policies are applied as soon as they are received, no reboot required. they don't have the new exclusions - you open the local GUI, Configure anti-virus and HIPS → On-access scanning → tab Exclusions?

Christian

Hello Brown-Bear,

policies are applied as soon as they are received, no reboot required. they don't have the new exclusions - you open the local GUI, Configure anti-virus and HIPS → On-access scanning → tab Exclusions?

Christian

Thanks Christian,Yes that's the way I am checking individual servers

That's assuming it should show in the local GUi of a Server?

Hell Brown-Bear,

for anti-virus and HIPS the policy settings should show in the local GUI (but not necessarily with the same layout). In particular exclusions look like in the policy.

Christian

Update.....

Ok thanks to Haridoss and Christian I have discovered in the .xml file at the following location C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml actually does list the folder exclusions I specified.

What I can't understand is why they do not show in the local GUI as Christian mentions.

Hi Brown-Bear 

As the exception is listed in the .xml file, it should be reflected in the local UI. Hence please check if you have the latest version of UI (what is the current version?). If the program is up to date and you still have the issue, please open a support ticket through web form or Sophserv.

Hello Haridoss and Brown-Bear,

I beg to differ, the local GUI does show the policy exclusions - don't think what I see are echoes from previous versions. Wouldn't make much sense otherwise, furthermore - TP aside - you wouldn't be able to locally remove an exclusion.

Christian

Hello Brown-Bear,

on second thoughts let's not forget the basic troubleshooting steps:

• endpoints actually communicating? (check Last message time)
• servers in the correct group? (likely)
• desired policy applied to group? (please check, if in doubt edit and save the policy - if the compliance status doesn't change to Awaiting policy transfer ... it isn't)

Christian
P.S.: Once this issue is resolved we should perhaps discuss the plethora of exclusions ... and whether some actually achieve the intended result

Hi Christian

Yes the endpoints are communication and the last message time is 02:42 am this morning.

Definitely the Servers are in the right group and when I do anything with the policy it does change to Awaiting policy transfer and then shows same as policy a few seconds later.

I have checked all my servers and they all have the exclusions listed in the .xml file but not in the local Gui.

Thanks

Hello Brown-Bear,

this is strange. Checked on a Win7 Ent SP1 and a Server 2008 R2, SAV 10.7.2.49 (most SAV components same level) - you make changes in the policy, endpoint complies, you seem them in the GUI. You remove one locally (or make some other change), apply, and hey presto, endpoint status in SEC changes to Differs from policy.
Please make some local change, when SEC reports Differs force Comply with - does the local change disappear (could you perhaps post as screenshot from one of the endpoints)?

Christian

Yes Christian here's what happened.

I made a local change on the Server by removing one of the two items listed for exclusion and watched the SEC console to change to Differs from policy after about 30 seconds. Then I right clicked in the SEC console and selected to "Comply with all group policies". After a few seconds it changed to "Same as policy".

However once it was forced to comply with policy both the local entries were there even though I had removed one a minute earlier.