Best Practices for Windows Server Protection / Dry run for fileserver cluster protection

Hello,

we are migrating from F-Secure to Sophos Windows server protection.

Are there any best practices regarding 

- Exchange

- SQL Server

- Windows Fileserver Cluster

in respect to policy configuration and exceptions?

What setting do I need to prevent that a false positive classification leads to data loss or problems with the Software. This question aims particulary to the fileserver where we saw this happening in the past (with F-Secure) and some files (these were produced by our software department got deleted although they had no malware inside). So what I am looking for is some kind or dry-run of a scheduled full drive scan (approx- 6 TB) that show me the files that might have issues.

Best regards,
Bernd

  • I suppose before protecting it, you could copy the Sophos Anti-Virus directory (\Program Files (x86)\Sophos\Sophos Anti-Virus\) off any other computer and save it for example

    C:\Sophos Anti-Virus\

    This will get you a working command line scanner.  You can then, from an admin command prompt in that directory run:

    sav32cli.exe -dn -ns -mrlog -pua -controlled -suspicious -p=%temp%\savlog.txt

    Note: I've added the controlled switch which will highlight the files which would be classified as applications by the application control feature.  You could drop that if needed but it might be interesting.  You could take a look at the help of sav32cli for more switches. 

    Beyond that you could deploy to the server with drive/folder exclusions in place in advance for the main data areas, i.e. just leave the OS files "included". Then remove an exclusion one at a time?  You could get a scheduled scan in before enabling it as well.  Much of what Sophos will detect will go into safestore and not removed so you can restore the files back having authorised them.

    Good to be cautious.

    Jak