Re-implementation of “Per process” exclusions for Anti-Virus scanning in Server 2012
Sophos Product Information
Sophos Product: Sophos Endpoint Protection (antivirus client)
Version in Production: 10.3
Feature Request Summary
Re-implementation of “Per process” exclusions for Anti-Virus scanning.
It appears that this hidden function of the endpoint client no longer operates in Windows 2012 (see the support case that gave rise to this request #5147863).
It would in fact be useful to formalise and document the functionality, as well as provide easier access to it.
How will this new feature address your business requirements?:
We would use this feature to avoid impact on backup speed where on-Read scanning is enabled on systems.
On-read AV scanning can impose a massive hit on backup operations (where all of the files on a system files are read in short succession). I am seeing a 50% reduction in backup speed when on-access scanning is turned on. Manufacturer recommended exclusions do not help, as they are designed to stop the backup product malfunctioning. As al files on the target system are being read, no reasonable exclusion could cover them, nor is it prudent to disable on-read scanning for the rest of the server activity whilst the backup operation is taking place.
Excluding activity from just the backup engine or agent (which only has interest in reading files to commit to media, not executing them) is not a significant risk, although, a malicious process running with the excluded process name would be a risk.
Not scanning data being committed for backup has a precedent, in that virtualised systems, these days backup virtual servers as the virtual disk files, rather than scrutinising the content the disks contain. Unfortunately some HA configurations still require agent based conventional backups of servers.
It is recognised (and agreed) that per-process exclusions should be used very sparingly, however in the scenario listed above, it is a perfectly targeted fix to the issue.
targeting SEC 5.5.1 later in 2017
sophia helt commented
At that situation, instead of bewildering you need to collect your senses and get hold of Epson Support. By taking this optimum support, you will certainly be able to conquer printer offline error without difficulty. A number of issues may stumble upon when the firmware of an Epson printer is corrupted. You may witness the several offline error and other distinctive printer related issues.
Some easy troubleshooting steps can often solve the problem. A printer on a network can either be Ethernet (or Wi-Fi) connected, or it can be directly connected via USB to a computer on the network. ... Windows has an Add Printer Wizard accessible from the Devices and Printer repair near me in the Control Panel. https://www.epsonsupport247.com/epson-printer-repair-service/
<a href="https://intrepidsoftware.com/importance-of-superfetch-and-methods-to-enable-or-disable/">service host Superfetch</a>
service host Superfetch is a Windows service that is intended to make your applications launch faster and improve your system respond speed. It does so by pre-loading programs you frequently use into RAM so that they don't have to be called from the hard drive every time you run them.
no SEC 5.5.1 until now
Info from Sophos Sales/Marketing Department:
5.5.1 kommt Anfang März für alle Kunden zum Download. Die Prozesse können dann per Policy ausgenommen werden.
Termin ist vorrausichtlich am 12.03.
5.5.1 will be available for download in early March for all customers. The processes can then be exempted by policy.
Date is expected on 12.03.
Still waiting for SEC 5.5.1
Jeroen de Jongh - IMPROVES B.V. commented
Darren, are you able to confirm the release date?
When will it be released?
Jhon Yepank commented
Today is "later 2017" :D
is currently implemented?
Bob S commented
the latter being image path not process name I suppose
Bob S commented
will the feature be re-mirrored into Enterprise console? (and when - target version)
also, can it be a per full path exclusion just to make it that slight bit safer.
e.g. c:\windows\notmalware.exe requires elevation to local admin.
whereas notmalware.exe can be who knows where.
I do fully agree with Al (backup speed) and want to add that in my opinion it is even a clear security risk that process exclusions cannot be managed centrally through the enterprise console. Because: Clients will, respectively are even forced to by 3rd-party, to implement "shadow systems" to deploy process exclusions (via GPO, registry, etc.). Thus, changes and settings are outside of the Sophos auditing, reporting and roles scope and one will have to allow non-Sophos products to make changes to Sophos (e.g. a software distribution system). This might be ok for small businesses. But not for bigger ones.
Neil Watkiss commented
This feature works nicely in Sophos Cloud Server Protection. The cloud server agent has a new exclusions engine, and supports process exclusions (and file/folder exclusions) from the Cloud console, rather than having to use the registry.