Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 12 subscribers
  • Views 2226 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Globale Ausnahme - Datei wird trotzdem gelöscht

Stefan Prokopf

Hallo Zusammen,

 

ich habe folgende Situation:

 

 - Installiert Sophos Central Endpoint mit Intercept X

 - Globaler Ausschluss für Verzeichnis "E:\SBH GmbH" - sowohl für Echtzeit als auch geplante Scans

 - In einem Unterverzeichnis davon verschwindet regelmäßig eine Datei (E:\SBH GmbH\factu32v6\DLL\SBH_MailExec.dll)

 - Diese wird vom einem Programm benutzt um Mails an Kunden zu verschicken

 - Wenn diese Datei verschwunden ist, nimmt der Kunde diese Datei von seinem Desktop (für diesen Speicherort sind keine Ausnahmen eingetragen) und kopiert die Datei wieder in den benötigten Pfad

 - Es gibt keine Einträge in den Sophos Clients oder in der Central Verwaltung, das diese Datei gelöscht wird

 - Im Windows Eventlog habe ich einen Eintrag gefunden:

       File "E:\SBH GmbH\factu32v6\DLL\SBH_MailExec.dll" belongs to virus/spyware 'ML/PE-A'.

       Provider Sophos System Protection

 

Kann mir jemand sagen wie ich verhindern kann das die Datei gelöscht wird?

 

Danke für eure Hilfe.

Stefan



This thread was automatically locked due to age.
Parents
  • +1

    Hi

    Do you want to make sure that this file should not be scanned in on-access or scheduled?

    If that is the scenario, you can mention the file with the full path in the global exclusions which will make sure that this goes unscanned every time.

    Ideally, if folder is excluded, their sub-folder should not be scanned but there should be E:\SBH GmbH\ path in the exclusions.

    I'd recommend you don't put the whole folder into the exclusions if your intention is to just protect the above-mentioned DLL file.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Jasmin

    Hi Jasmin,

    the producer of the software wants this folder complete excluded.

    I guess this software is not coded at best practice..

    It is a kind of control-software for a workman company.

    It would have several alerts for different files and after any update they may change.

    There is no local admin onsite - so we have this folder exclusion accepted as a compromis.

    Also it slows down significant if the folder gets scanned.

     

    I added both as you recommend additonal:

    E:\SBH GmbH
    Datei oder Ordner (Windows)
    		 Echtzeit- und geplante Scans    
    E:\SBH GmbH\
    Datei oder Ordner (Windows)
    		 Echtzeit- und geplante Scans    
    E:\SBH GmbH\factu32v6\DLL\SBH_MailExec.dll
    Datei oder Ordner (Windows)

    Lets see if that helps.

    But i still dont understand, why the file not gets deleted from the desktop of the user.

     

     

     

     

  • +1 in reply to Stefan Prokopf

    Hi  

    Thank you for the following steps. I just want to confirm that you have mentioned on-access and scheduled scan for .dll file exclusion.

    For deletion of the file, the subfolders and file will be excluded if "\" is mentioned at the last in the exclusion path, else it will go and just exclude the files mentioned under that folder.

    Even after this, if the issue reoccurs, I'd suggest you open a case with Sophos and please PM me the case number, so I can keep an eye on the case.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Jasmin

    yep - both scans

    We tried several testmails from the software and the file stays - thanks for your help to understand the the expresion better

  • 0 in reply to Stefan Prokopf

    Hi  

    Thank you for the confirmation. Please feel free to post your query on the community.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Reply Children
Unfiltered HTML