Real-Time Scan Exclusion Variable\WildCard Confirmation

Hi Yogi_Bear_79 ,

Thank you for reaching out to the Sophos Community Forum.

It might be best to use an EICAR test file to test if the exclusion is working correctly in this specific scenario. You'll find more information about this in the following article:

- Sophos Endpoint: Test the detection features

You can place the eicar file in the excluded directory and rename it based on the specified file name. Let us know how it goes. Thank you.

So I made a new text document, and renamed it according to my convention. Then i pasted the eicar string into it. The process allowed me to do so. I got no alerts on central.  I cannot open the file afterwards, says i have no access.   

I tried to download and rename the file from various browser all of which catch it and won't let it happen.

In short I don't know if this was a successful test of my patterns or not. 

Checking the %temp% variable, this will correspond to: C:\Users\*\AppData\Local\Temp

If the location you're trying to exclude is C:\Users\testuser\Temp\ this may not work. 

Could you try the following? 
- C:\Users\*\Temp\test*.tmp
- C:\Users\*\Temp\testtemp_*

Regarding files being detected when downloading from a web browser on a remote device, I suspect Web Control may be scanning and blocking the file. 

If you need to make the file accessible through a file share, an exclusion such as //<servername>/ may be needed. 
If the file needs to be accessible via web browser, an exclusion of the type "Website" for the site URL will be necessary.

Checking the %temp% variable, this will correspond to: C:\Users\*\AppData\Local\Temp

If the location you're trying to exclude is C:\Users\testuser\Temp\ this may not work. 

Could you try the following? 
- C:\Users\*\Temp\test*.tmp
- C:\Users\*\Temp\testtemp_*

Regarding files being detected when downloading from a web browser on a remote device, I suspect Web Control may be scanning and blocking the file. 

If you need to make the file accessible through a file share, an exclusion such as //<servername>/ may be needed. 
If the file needs to be accessible via web browser, an exclusion of the type "Website" for the site URL will be necessary.

You are correct. I mistyped my location in my original post. 

C:\Users\*\AppData\Local\Temp\<random directory>\test*.tmp

C:\Users\*\AppData\Local\Temp\<random directory>\testtemp*

These would be the correct path. The user name is random, the subdirectory in temp is random, and the files are either testtemp+random string, w/o a file extension. or test+random string with a .tmp file extension

%temp%\*\test*.tmp
%temp%\*\testtemp_*

I was able to test the exclusions on a VM and they do appear to be working as intended. I suggest checking the following registry key to verify that the exclusions have been applied to the local device. The exclusion will need to be entered as "Real-time and scheduled" 
- HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EndpointDefense\PolicyConfiguration\
- OnDemandExcludedFilePaths

Let me know if you experience any issues. 

Thank for testing!

Ok, I checked the registry, and that leads to another question.  You said "The exclusion will need to be entered as "Real-time and scheduled" " Since these are volatile VDI machines that will work. I did only have them as real-time.  Which caused them to show in the ExcludedFilePaths, and not the OnDemandFilepaths. Seems backwards?

"OnDemand" refers to a manually triggered scan, or scheduled scan on an endpoint. 

If these are VDI devices, then a real-time scanning exclusion will work just fine as long as you have not configured any full system scans.