Sophos Central Client - Extensions List

I have been installing Sophos Endpoint Security and control for years and noted that the listing on "Vulnerable and Executable" file types (Extensions) was visible in the client when you have local amin rights. This file extension list was contained in the config.xml of the client and was useful in suggesting exclusions that are needed i.e. no need to exclude .log, .mdb, .ldf etc.

 

I can't see a similar listing in the Sophos Cloud Endpoint. Would it be worth detailing how the scanning process has changed from On-Prem to Central?

  • Hello StephenHiggins,

    as you're familiar with the on-premise SESC (and I'm not familiar with Central): AFAIK SAV proper and the scanning engine isn't really different in Central. I'm not aware that this list is in some config, at least the ones in %ProgramData% don't refer to default extensions (don't have a Windows machine at hand right now). The GUI provides a list with the On-Demand Extensions and Exclusions and sav32cli.exe also spits out this information if you ask nicely.
    Not sure if there's a config.xml (even in SESC) that contains this information but sav32cli.exe -vv -? should tell.

    Christian

  • In reply to QC:

    You mention that the GUI provides a list wit hthe On-Demand Extensions and Exclusions - Where is that? also running SAV32CLI on a machine even with the -help option closes as soon as the sav32cli has run, do you know a way of keeping the information on the screen "|more" is not working nor is  "-page"

  • In reply to StephenHiggins:

    Hello StephenHiggins,

    the GUI
    in Central is likely different from the one for SESC. In SESC it's ConfigureAnti-VirusOn-Demand extensions and exclusions.

    sav32cli.exe's manifest requests highestAvailable as execution level, thus when you run it from a non-elevated cmd window you get the UAC prompt and a new window opens (and closes after sav32cli completes). If you run it from an administrative prompt no new windows is created. Use sav32cli.exe -vv|more, the extensions are shown after the list of IDEs.

    Christian

  • In reply to QC:

    Thanks for the SV32CLI information Christian.

     

    With SESC the extensions could be seen in the endpoint in the c:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml but this has changed in Sophos Central and the list of not there. My worry is that the extensions list on a client (not a server) would include files that normally would not be scanned with SESC.

  • In reply to StephenHiggins:

    Hello Stephen,

    extension list in machine.xml
    might have been there once, or perhaps only those added/excluded with the policy, isn't there. And BTW, SESC's GUI lists the extensions also for ConfigureOn-access-scanning → tab Extensions (dunno why I have overlooked it as it's so obvious).

    my worry
    do you have any particular extensions in mind, what harm would be done anyway?
    There's no reason that the scanner should behave differently.

    Christian