Re-implementation of “Per process” exclusions for Anti-Virus scanning in Server 2012
Sophos Product Information
Sophos Product: Sophos Endpoint Protection (antivirus client)
Version in Production: 10.3
Feature Request Summary
Re-implementation of “Per process” exclusions for Anti-Virus scanning.
It appears that this hidden function of the endpoint client no longer operates in Windows 2012 (see the support case that gave rise to this request #5147863).
It would in fact be useful to formalise and document the functionality, as well as provide easier access to it.
How will this new feature address your business requirements?:
We would use this feature to avoid impact on backup speed where on-Read scanning is enabled on systems.
On-read AV scanning can impose a massive hit on backup operations (where all of the files on a system files are read in short succession). I am seeing a 50% reduction in backup speed when on-access scanning is turned on. Manufacturer recommended exclusions do not help, as they are designed to stop the backup product malfunctioning. As al files on the target system are being read, no reasonable exclusion could cover them, nor is it prudent to disable on-read scanning for the rest of the server activity whilst the backup operation is taking place.
Excluding activity from just the backup engine or agent (which only has interest in reading files to commit to media, not executing them) is not a significant risk, although, a malicious process running with the excluded process name would be a risk.
Not scanning data being committed for backup has a precedent, in that virtualised systems, these days backup virtual servers as the virtual disk files, rather than scrutinising the content the disks contain. Unfortunately some HA configurations still require agent based conventional backups of servers.
It is recognised (and agreed) that per-process exclusions should be used very sparingly, however in the scenario listed above, it is a perfectly targeted fix to the issue.
Mark Smith commented
And this is something really good post I read today! Keep up the good work!
Data Recovery Dubai commented
A very nice post relating to my requirement
Paramount Dental Sydney is a leader of dental solutions in the market. We are recognized as Invisalign Cost Sydney. These treatments of teeth are available with us through the best and qualified dentist all over the area. We are giving the best solutions to our clients as to make the teeth beautiful and healthy. We are here to cure so many diseases along with the advices to procure and prevent your teeth from any type of damage or ailment.
Call Us: (02) 9131 8078
Address: St. James Trust Building
185 Elizabeth Street
Sydney NSW 2000
Mail Us: email@example.com
no SEC 5.5.1 until now
Info from Sophos Sales/Marketing Department:
5.5.1 kommt Anfang März für alle Kunden zum Download. Die Prozesse können dann per Policy ausgenommen werden.
Termin ist vorrausichtlich am 12.03.
5.5.1 will be available for download in early March for all customers. The processes can then be exempted by policy.
Date is expected on 12.03.
Still waiting for SEC 5.5.1
Jeroen de Jongh - IMPROVES B.V. commented
Darren, are you able to confirm the release date?
When will it be released?
Jhon Yepank commented
Today is "later 2017" :D
is currently implemented?
Bob S commented
the latter being image path not process name I suppose
Bob S commented
will the feature be re-mirrored into Enterprise console? (and when - target version)
also, can it be a per full path exclusion just to make it that slight bit safer.
e.g. c:\windows\notmalware.exe requires elevation to local admin.
whereas notmalware.exe can be who knows where.
I do fully agree with Al (backup speed) and want to add that in my opinion it is even a clear security risk that process exclusions cannot be managed centrally through the enterprise console. Because: Clients will, respectively are even forced to by 3rd-party, to implement "shadow systems" to deploy process exclusions (via GPO, registry, etc.). Thus, changes and settings are outside of the Sophos auditing, reporting and roles scope and one will have to allow non-Sophos products to make changes to Sophos (e.g. a software distribution system). This might be ok for small businesses. But not for bigger ones.
Neil Watkiss commented
This feature works nicely in Sophos Cloud Server Protection. The cloud server agent has a new exclusions engine, and supports process exclusions (and file/folder exclusions) from the Cloud console, rather than having to use the registry.