Hello,
In SEP SBE (.cloud deployment), it is currently possible for client users to create anti-virus exclusions on a file-by-file basis. This is a good thing (for example, in our case the clients are very heterogeneous and the potential false-positives are not known in advance).
However, it is not currently possible to manage the exclusions at all.
Expected features include (in no particular order):
1. The user who created the exclusion should be able to see that it exists. It means:
a. Listing existing exclusions (maybe similar to how Quarantine files are listed)
b. Seeing a line in Scan Result dialogs and reports for counting "Files that pass because of an exclusion" (better description needed). This should also be included in scans started remotely.
c. Having a way to inspect which exclusion caused a certain file to be ignored (because it seems to me that user-created exclusions are not based on file name/path, but rather on threat?) : "Why this file was ignored"
2. The user who created the exclusion should be able to remove it. It means:
a. Being able to find the exclusion by filtering the above-mentioned list
b. Being able to select an exclusion from anywhere it is mentioned (the list, the "Why this file was ignored" dialog, ...), maybe using a hyper-link like for other functionalities in the client
c. Removing the exclusion : "Include file in future scans" == "Remove exclusion"
d. Removing all exclusions at once
3. Maybe the administrator should be able to list a client's exclusions from the .cloud management console.
Two simple examples of why some of these features are needed:
- Example 1:
A user wants to download a file, but it gets quarantined. She thinks it is a false-positive and so excludes it and downloads it again. Later, she learns that it was in fact a legitimate threat, but she will not be protected against it because it is now trusted forever.
- Example 2:
A user created a text file with the known EICAR "virus", for the purpose of testing the anti-virus' behaviour. The file got correctly detected as malicious and subsequently blocked. Now the user wants to test other aspects of the anti-virus' features, but it's now impossible because the threat is forever ignored (even if a different file name/path is used).
Thank you for your time,
Paul