This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WebAdmin bad behavoir when configuring Endpoint Protection Antivirus File/Folders Exceptions

Greetings, I'm having problems when trying to configure the UTM Endpoint Protection Antivirus Exceptions to protect an Exchange 2013 server.

Exchange requires a sizable list of exclusions.

When I try to enter the file/folder exceptions, the UTM UI comes back with unexpected results.

Why is it doing this?

This is UTM 9.407-3, with the home license.

Here's a screencap of a newly-entered file/path exclusion:

 

And here's how that exclusion appears after clicking Save. Note the path!

 

And then if I click edit ...



This thread was automatically locked due to age.
  • Hi,

    I will take a guess that your delimiters are seen as control or similar characters and maybe need to be enclosed in quotes or similar.

    I don't see any way of the UTM configuration identifying your E folder as being part of your exchange server?

    Please check the UTM knowledgebase for detailed instructions.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello TimothyTrace,

    I'm not a UTM guy 'twas just Exclusion ...bugs? which caught my attention.
    As said I'm not familiar with the UTM UI (but at least with AV exclusions). Wonder if it's the \0 combination as the backslash should generally work. So just to test please try a path with characters other than 0 after the backslash (I know, this is not what you need but ...). Maybe just the \0 gets eaten, maybe others as well. I'd also check what's in the computer's AV settings - whether it's the slashless path or not.
    Unlikely but I've seen similar bugs it could be that the \0 is misinterpreted when it's read back for display in the GUI but correct in the policy.   

    Christian

    P.S. and BTW: Even as the KB article says must the exclusions are not necessarily necessary (forgive the bad pun). We have without problems none of them in place for our Exchange servers.

  • Thanks!

    The online documentation says this: File/folders: If selected, you can exclude a file, a folder, or a network drive from antivirus scanning. Enter the file, folder, or network drive in the File/Path field, e.g., C:\Documents\ or \\Server\Users\Documents\CV.doc.  I tried that and ended up with the results shown in the OP.

    There doesn't seem to be anything in the Knowledge Base which covers this situation. I scanned through several dozen articles and read the titles of more than a hundred.

    Going with your suggestion, I took the path of "E:\01a-DB\01a-DB\01a-DB", shortened it to "\01a-DB\01a-DB\01a-DB" and saved the exception. Same results.

    I wonder if anyone from Sophos will join the discussion .... ?

     

  • Hi can confirm that you dont need exclusions for running exchange smoothly with utm endpoint protection..

    seems to be a quoting bug... maybe need to set it in "path" or something like \/ or /\ to get it not interpreted...

     

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • Hi,

    Normally Sophos staff don't join the discussions, more than likely a more knowledgeable forum member will add their expertise.

    I can't see how the UTM can exclude a drive on a server from anti-virus scanning, the UTM scans the packets as they pass through the UTM not the destination.

    If you are configuring endpoint management on the UTM that is a different story, but you haven't specified that in your thread description.

    I would recommend you change you thread title so the it reflects the issue and ask for assistance in configuring the end point exclusions for a mail server.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • zaphod said:
    Hi can confirm that you dont need exclusions for running exchange smoothly with utm endpoint protection..

    I've got real-world experience in recovering Exchange databases from damage caused by AV file-system real-time scanners. Not doing *that* again.

    Anyone who doesn't pay attention to Microsoft's recommendations for AV exclusions with Exchange (linked in the OP) is asking for trouble.

     

    zaphod said:
    seems to be a quoting bug... maybe need to set it in "path" or something like \/ or /\ to get it not interpreted...

    Good idea, thank you.

    Wrapping it in quotes doesn't help.

    Tried escaping the backslash ... no luck.

    • E:\/1a-DB\/1a-DB\/1a-DB brings back E:\/1a-DB\/1a-DB\/1a-DB
    • E:/\1a-DB/\1a-DB/\1a-DB brings back E:/\1a-DB/\1a-DB/\1a-DB
    • E:\\1a-DB\\1a-DB\\1a-DB brings back E:\\1a-DB\\1a-DB\\1a-DB

    Tried e:\01a-db\01a-db\01a-db, and it came back e:1a-db1a-db1a-db .

    Humorously, c:\temp comes back as .... yup .... c:\temp .

    What's going on here?

     

     

  • Hello TimothyTrace,

    don't think it's the drive letter. Here are strings I'd try (just for narrowing down): E:\0a\1b\2c\3d\4e\5f\6g\7h\8i\9j\ZZ\ and E:\01\0f\0g\01g

    Christian

  • rfcat_vk said:
    If you are configuring endpoint management on the UTM that is a different story, but you haven't specified that in your thread description.

    Thanks. This topic is in the Endpoint Protection forum.

  • Nice. It seems that \0(anything) causes WebAdmin to drop the backslash and the zero.

    Looks like I'll have to change my database paths and filenames to avoid this bug.

    Question: If Sophos employees don't monitor this forum, what's the correct way for me to advise them of this problem? After all, I'm using a complimentary license. I wouldn't blame them for being unresponsive to my concerns.

    If they were listening, I'd feature-request bulk imports of exceptions to handle these types of situations, or good documentation on how to script it through the CLI.

    Thanks to everyone for the help.