This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC 5.5.0 Folder exclusions not pushed out to Servers

Hi all,

I have setup various anti-virus on demand scanning folder exclusions for a Server Group. When I check the various Servers none of the excluded folders show up as excluded on the individual Servers.

I doubled checked this Server group to see which policy is applying to them and on that policy for "Anti-Virus and Hips" have selected to configure "On Access Scanning" and then selected the folder exclusions. None of these show up on the individual Servers.

Any ideas? I have watched the Sophos video www.youtube.com/watch how to exclude files and folders so I'm fairly sure I'm doing it correctly.I also rebooted the Servers in question but no joy as well as selecting "Comply with all group policies".

Thanks



This thread was automatically locked due to age.
Parents
  • Hello Brown-Bear,

    just to make sure, do the servers show Same as policy for Policy compliance?
    I'm a little bit confused, first you say setup various anti-virus on demand scanning folder exclusions and later selected to configure "On Access Scanning" (emphases mine) - so where/how do you check the various Servers? Guess exclusions won't reveal any secrets so could you provide a screenshot of the exclusions in the policy and another one of the check on one of the servers?

    Christian

  • Thanks Christian,

    Sorry let me clarify. Under "Anti-virus and Hips" I have created a Server group with a number of Servers in it. 

    When I view edit this policy and select configure beside on-access scanning ...in windows exclusions I have added in a number of folder exclusions and files that I don't want scanned.

    When I go to any of the Servers that the policy applies to they don't have the new exclusions I added even after a reboot. They show "Same as policy" with regard to compliance.

  • Hell Brown-Bear,

    for anti-virus and HIPS the policy settings should show in the local GUI (but not necessarily with the same layout). In particular exclusions look like in the policy.

    Christian

  • Update.....

    Ok thanks to Haridoss and Christian I have discovered in the .xml file at the following location C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml actually does list the folder exclusions I specified.

    What I can't understand is why they do not show in the local GUI as Christian mentions.

  • Hi  

    As the exception is listed in the .xml file, it should be reflected in the local UI. Hence please check if you have the latest version of UI (what is the current version?). If the program is up to date and you still have the issue, please open a support ticket through web form or Sophserv.

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hello Haridoss and Brown-Bear,

    I beg to differ, the local GUI does show the policy exclusions - don't think what I see are echoes from previous versions. Wouldn't make much sense otherwise, furthermore - TP aside - you wouldn't be able to locally remove an exclusion.

    Christian

  • Hello Brown-Bear,

    on second thoughts let's not forget the basic troubleshooting steps:

    • endpoints actually communicating? (check Last message time)
    • servers in the correct group? (likely)
    • desired policy applied to group? (please check, if in doubt edit and save the policy - if the compliance status doesn't change to Awaiting policy transfer ... it isn't)

    Christian
    P.S.: Once this issue is resolved we should perhaps discuss the plethora of exclusions ... and whether some actually achieve the intended result

  • Hi Christian

    Yes the endpoints are communication and the last message time is 02:42 am this morning.

    Definitely the Servers are in the right group and when I do anything with the policy it does change to Awaiting policy transfer and then shows same as policy a few seconds later.

    I have checked all my servers and they all have the exclusions listed in the .xml file but not in the local Gui.

    Thanks

  • Hello Brown-Bear,

    this is strange. Checked on a Win7 Ent SP1 and a Server 2008 R2, SAV 10.7.2.49 (most SAV components same level) - you make changes in the policy, endpoint complies, you seem them in the GUI. You remove one locally (or make some other change), apply, and hey presto, endpoint status in SEC changes to Differs from policy.
    Please make some local change, when SEC reports Differs force Comply with - does the local change disappear (could you perhaps post as screenshot from one of the endpoints)?

    Christian

  • Yes Christian here's what happened.

    I made a local change on the Server by removing one of the two items listed for exclusion and watched the SEC console to change to Differs from policy after about 30 seconds. Then I right clicked in the SEC console and selected to "Comply with all group policies". After a few seconds it changed to "Same as policy".

    However once it was forced to comply with policy both the local entries were there even though I had removed one a minute earlier.

  • My point being the 2 exceptions that are displayed locally (the rest of the exceptions are shown in the .xml file but not shown locally).

    So I edited the list from the SEC console and removed one of the exceptions that lists locally (*.pst) ......then the server changed to awaiting policy transfer and then same as policy.....however the *.pst exception still is listed locally on the server in the GUI but is missing from the main part of the xml file where it was prior to the change (with another 20 items listed for exception) but is still listed a little further down in the  .xml file with the other locally visible exception *.ost at C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml 

     

     

  • Hello Brown-Bear,

    to make sure I'm understanding correctly: Two exclusions in one of the server's local GUI (who put them there?), SEC shows Same as policy? You remove one, SEC shows Differs? After Comply with ... server's local GUI again shows two exclusions?

    Christian

Reply
  • Hello Brown-Bear,

    to make sure I'm understanding correctly: Two exclusions in one of the server's local GUI (who put them there?), SEC shows Same as policy? You remove one, SEC shows Differs? After Comply with ... server's local GUI again shows two exclusions?

    Christian

Children
  • That's exactly what's happening Christian.

    The 2 exclusions that show up locally I pushed out originally *.pst and *.ost. They got them from the group that the Servers were in but I have moved them out of that group about 6 months ago and it seems they are still inheriting them......anyway in the SEC console the  exclusions for these Servers includes these 2 exceptions that show up locally so strange.

    I'm thinking maybe this is to do with a migration I did a year ago from a Win 2003 32 bit Server to a Win 2012 64 bit and I had a lot of issues going to version 5.2.2 - I can't remember what version I had originally but did follow the upgrade document and had to log a few tickets with Support.

    Thanks Christian

     

  • Hello Brown-Bear,

    SEC is (deliberately) quite simple and there shouldn't be any inconsistencies visual group-membership, policy assigned to group, policy contents, and what's actually sent to the endpoints. I also don't see why parts of certain settings normally exposed to the GUI should be hidden. Please note that once created each group has its own policy assignment, there is no policy inheritance afterwards. If you change a parent's policy assignment the children are unaffected. Policy assignments stick even if you move a sub-group to a different parent. Thus to check the assigned policy for an endpoint you have to do it on the very group the endpoint is in - not one of the upper groups.
    If you duplicate/copy a policy it becomes an entity of its own, you can't reference a set of exclusions from different policies. Hmm ...

    Christian