Does anyone know how to exclude a process and all files it touches from real-time scan?
We want to improve the speed of backups and would like to exclude backup exec processes and files they read from being scanned by Sophos realtme scan.
Having used other products such as Trend and KAV, both have support for this however we are unable to find a similar feature in Sophos.
Cheers,
Max
HI,
It is possible but worth being sure that you need it as it relies on just a string match (including case) on the process name so use it with care.
To do so it requires registry key(s) to be created and the machine to be rebooted. Under "driver" key:
Win2K/XP:
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVOnAccessControl
Vista/Win7:
HEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVOnAccess
Create a string value called:
ExcludedProcess0
The value can then be for example: "notepad.exe" to exclude the notepad.exe process.
If you need to exclude multiple processes you would need to create additional string keys, i.e.
ExcludedProcess1
ExcludedProcess2
with no gaps in the numbering, etc..
Hope this helps but be careful :)
Regards,
Jak
Hello Behzad,
excuse me if I sound snotty. Can we use Java.exe *32 as the value? - that's one of the reasons there is no interface for excluding processes (and that it's not in the knowledgebase). The *32 is just how taskgmgr.exe tells you it's a 32bit process, the name is just java.exe (as e.g. Process Explorer will tell you). Furthermore a process should only be excluded when absolutely necessary and with careful consideration. By no means you should exclude A lot of processes!
More than one threat uses Java .class files - excluding files accessed by java.exe from being scanned is quite dangerous.
What issues do you want to resolve by this? There are likely other - less risky - ways to overcome them.
Christian
Hi Christian,
Thank you for your reply.I Understood that. We found that Sophos is constantly maxing out the CPU resources on one of our application servers, and the vendor suggested to exclude some of the processes from AV that the application uses including SQL. Java is not a big deal we can leave that out of the exclusion. but the other processes that are uses by the application are our concern.
Regards,
Behzad
HI,
Have you tried running something like Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) to look at the file I/O, this might hint at why/what SAV is doing. This might help to understand what path/file exclusions would be worthwhile providing they were safe to add.
You can turn on the driver logging to see what that is filtering. I attempted to automate this here:
To be honest Process Monitor will give you a quick insight.
Regards,
Jak
Hello Behzad,
sorry for the rant - here's another one (hidden so you don't have to read it :smileywink:)
I'm always astonished and surprised when vendors - who should at least have some idea what their application is doing - appear to be clue- and helpless when it comes to issues in conjunction with AV-scanners (not only Sophos). As if running AV was something that couldn't be anticipated, a nice-to-have add-on rarely used. AV vendors are of course trying to make their product as light-weight and non-intrusive as sensible but there's a minimum overhead which can't be avoided. Frequent opens of many small files - not very efficient but inexpensive with today's OSs - will incur quite an overhead when scanning is active (even if a file is not rescanned its "fingerprint" has to be verified). Often the application's architecture and/or processing is somewhat convoluted (did I hear Exchange? - at least Microsoft concedes this and provides an interface for scanners). In addition it's often not possible for the same reasons to run an "AV-unaware" application on a hardened server (so you could feel at ease with setting scanning aside).
Not surprisingly in this context the offered solution is making concessions - excluding processes (not only their own but "foreign" as well - e.g. databases and webservers), application folders, extensions - once had a vendor who used .py as extension (these were not Python scripts), scattered the files all over the place (they weren't only static but created during execution) and suggested we exclude *.py from scanning - and whatever. Of course they claim that this won't introduce an additional risk (ok, I misjudged them - they are experts in AV :smileytongue:) or that at least the performance gain outweighs any risk by far. Great! Excluding a process means that code it loads is exempted from scanning ...
Admittedly not even Microsoft can give you clear instructions. Just read How to choose antivirus software to run on computers that are running SQL Server - read it carefully. Your server doesn't meet the criteria for a high-risk server? Fine. Servers that do not meet the criteria for a high-risk server are generally at a lower risk, although not always. Hm? Do you notice that on-access scanning isn't under the Virus tool types or did I miss it (and I'm not sure how vulnerability scanning fits in here)? I especially like the Virus sweep software paragraph: It scans existing files (meaning it does not scan the majority of files: the non-existing ones :smileytongue:) [...] detects files after they are infected ... nice description. and This kind of scanning may cause [...] SQL Server database recovery [...] issues. So - maybe this is about on-access, but is DB recovery normal operation? exclude [directories and extensions] from virus scanning [...] however, if these files become infected, your antivirus software cannot detect the infection. Wouldn't have known this without them telling me - so it's up to me to assess the actual risk? Processes to exclude from virus scanning - guess this is deliberately vague and unclear (especially in conjuction with the file exclusions).
Enough. Sorry. Have to do this from time to time ...
Don't think (but won't rule it out completely) that it's scanning of the application and its parts which causes the CPU consumption. Likely you can't play that much with different scanning settings, flushing the cache of already scanned files and so on. Thus I can only go along with Jak's suggestion - start with Process Monitor (perhaps use also Process Explorer to identify the processes with high delta I/O). You can save a captured period and analyze it on a different machine.
Christian
Hello bericksonghs,
HKLM\SYSTEM\CurrentControlSet\Services\SAVOnAccessControl\ or ...\SAVOnAccess is already the driver key, there's no subkey named Driver.
Again the warning - process exclusions should be used with caution and only when absolutely necessary. May I ask which process(es) you intend to exclude?
Christian
I am Excluding Some print workflow processes from Planet Press software Suite by Objectif Lune.
I've already excluded the .pdf and .ps file types, but want to be sure of un-interuption in this process due to time sensitivity and speed needed.
This system is pretty isolated anyhow.
Thanks for the verification. :)
