Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
We'd love to hear about it! Click here to go to the product suggestion community
ich habe folgende Situation:
- Installiert Sophos Central Endpoint mit Intercept X
- Globaler Ausschluss für Verzeichnis "E:\SBH GmbH" - sowohl für Echtzeit als auch geplante Scans
- In einem Unterverzeichnis davon verschwindet regelmäßig eine Datei (E:\SBH GmbH\factu32v6\DLL\SBH_MailExec.dll)
- Diese wird vom einem Programm benutzt um Mails an Kunden zu verschicken
- Wenn diese Datei verschwunden ist, nimmt der Kunde diese Datei von seinem Desktop (für diesen Speicherort sind keine Ausnahmen eingetragen) und kopiert die Datei wieder in den benötigten Pfad
- Es gibt keine Einträge in den Sophos Clients oder in der Central Verwaltung, das diese Datei gelöscht wird
- Im Windows Eventlog habe ich einen Eintrag gefunden:
File "E:\SBH GmbH\factu32v6\DLL\SBH_MailExec.dll" belongs to virus/spyware 'ML/PE-A'.
Provider Sophos System Protection
Kann mir jemand sagen wie ich verhindern kann das die Datei gelöscht wird?
Danke für eure Hilfe.
Hi Stefan Prokopf
Do you want to make sure that this file should not be scanned in on-access or scheduled?
If that is the scenario, you can mention the file with the full path in the global exclusions which will make sure that this goes unscanned every time.
Ideally, if folder is excluded, their sub-folder should not be scanned but there should be E:\SBH GmbH\ path in the exclusions.
I'd recommend you don't put the whole folder into the exclusions if your intention is to just protect the above-mentioned DLL file.
In reply to Jasmin:
I got this situation:
- installed Sophos Central Endpoint with Intercept X
- global exclusion is set for directory "E:\SBH GmbH" - for both realtime and on demand scan
- there is a subdirectory where a file gets deleted regulary (E:\SBH GmbH\factu32v6\DLL\SBH_MailExec.dll)
- this file is used to send emails to their customers
- after this file was deleted, they copy this DLL from their desktop again back to the path they need - there is no exception for their desktop, file stays at the desktop
- there are no entrys at the log of the Sophos Clients or at Central that the file gets deleted
- i found this entry at windows log
Why gets this file delete by Sophos? Why is there no entry at the logs?
In reply to Stefan Prokopf:
Hi Stefan Prokopf
Why gets this file delete by Sophos? - We can't surely point any finger exactly but I'd like to know the timestamp of the event in the event logs whether it is nearby the last time it disappeared?
Why is there no entry at the logs? - Well, this should be done if Sophos has removed the file but can't say exactly why it happened without detailed troubleshooting.
Please follow the steps I mentioned in my previous reply and check whether file gets deleted or stays in the path.
the producer of the software wants this folder complete excluded.
I guess this software is not coded at best practice..
It is a kind of control-software for a workman company.
It would have several alerts for different files and after any update they may change.
There is no local admin onsite - so we have this folder exclusion accepted as a compromis.
Also it slows down significant if the folder gets scanned.
I added both as you recommend additonal:
Lets see if that helps.
But i still dont understand, why the file not gets deleted from the desktop of the user.
Hi Stefan Prokopf
Thank you for the following steps. I just want to confirm that you have mentioned on-access and scheduled scan for .dll file exclusion.
For deletion of the file, the subfolders and file will be excluded if "\" is mentioned at the last in the exclusion path, else it will go and just exclude the files mentioned under that folder.
Even after this, if the issue reoccurs, I'd suggest you open a case with Sophos and please PM me the case number, so I can keep an eye on the case.
yep - both scans
We tried several testmails from the software and the file stays - thanks for your help to understand the the expresion better
Thank you for the confirmation. Please feel free to post your query on the community.
Well, I thought this forum is the community - what else can I do ?
Yes, it is a community. I meant if you have any further issues, please feel free to post on the community. :-)