Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=scanning-exclusions-Linux

Linux scanning exclusions

You can add scanning exclusions for Linux servers.

When you set up global scanning exclusions, we exclude these files and folders from scanning for all your users and their devices.

If you want to exclude files or folders only on some servers, you can do this using a Server Threat Protection policy. See Server Threat Protection Policy.

Adding exclusions reduces your protection, so we recommend that you use policies to target users and devices where the exclusion is necessary, rather than using this global option.

Using scanning exclusions safely

Warning

Think carefully before you add scanning exclusions because doing so may reduce your protection.

Be careful when you set up scanning exclusions as you can increase the risk to your systems and reduce your protection.

Make your scanning exclusions as specific as possible. It's risky to generalize the exclusion to cover more files and directories than you need to.

You can exclude a specific directory or file by its full path. To exclude a directory and all the directories and files below it, add a trailing slash. For example:

  • /mnt/hgfs/excluded excludes the file named excluded.

  • /mnt/hgfs/excluded/ excludes the directory named excluded and all directories and files below it in the filesystem.

    We recommend that you use this exclusion type as specifically as possible.

You can exclude a directory or file in any location. For example:

  • */excluded excludes the file named excluded in any location.

  • */excluded/* excludes the directory named excluded in any location and all directories and files below it in the filesystem.

    We recommend that you use this exclusion type as specifically as possible.

Server Protection for Linux

Warning

Server Protection for Linux can misinterpret some exclusions if you don't include any necessary wildcards at the start or end of the excluded path. This can lead you to excluding more or less than you intended.

You must specify exclusions carefully and be as specific as possible.

We've given specific examples for Server Protection for Linux (SPL), where appropriate. Follow these examples to define your exclusions so that SPL interprets them correctly.

Scanning exclusions

You can use the exclusions in this table for scanning exclusions and allowed applications.

If you want to use wildcards in your path, see the path and directory examples in this table.

Type Exclusion
Absolute path to file

/foo/bar/file.name

Excludes the named file.

Example: /foo/bar/eicar.com.
Absolute path to directory

/foo/bar/

Excludes everything in the named directory and below.

Be careful using this exclusion type, as it reduces your protection. We recommend that you use this exclusion type as specifically as possible. Don't use it to exclude high-level directories.
File name

file.name

Excludes files with this name in any directory. This matches anywhere on the filesystem and isn't specific to a location.

Example: eicar.com

Excludes /foo/eicar.com, /foo/bar/eicar.com, and /baz/eicar.com.
Relative path to a file

bar/file.name

SPL: */bar/file.name

Excludes any path ending with the named directory and file. This matches anywhere on the filesystem and isn't specific to a location.

Example: bar/eicar.com

Excludes /bar/eicar.com and /foo/bar/eicar.com but not /foo/eicar.com.
Directory name

bar/

SPL: */bar/*

Excludes everything below any directory with this name. This matches anywhere on the filesystem and isn't specific to a location.

Excludes /foo/bar/, /bar/, and /baz/foo/bar/.

Be careful using this exclusion type, as it reduces your protection. We recommend that you use this exclusion type as specifically as possible. Don't use it to exclude high-level directories.
Relative path to a directory

foo/bar/

SPL: */foo/bar/*

Excludes any path containing the named directory. This matches anywhere on the filesystem and isn't specific to a location.

Excludes /foo/bar/ and /baz/foo/bar/.

Be careful using this exclusion type, as it reduces your protection. We recommend that you use this exclusion type as specifically as possible. Don't use it to exclude high-level directories.
File extension

*.fileextension

Excludes any file with this extension, in any directory.

Example: *.com

Excludes eicar.com and eicar.tmp.com, but not eicar.co or eicar.com.tmp.

Be careful using this exclusion type, as it reduces your protection. We recommend that you use this exclusion type as specifically as possible.
file name prefix

file nameprefix.*

Example: eicar.*

Excludes any file with this file name prefix, in any directory.

Excludes eicar.foo but not eicar. Also excludes /foo/eicar.fileextension/bar
Absolute path with file name extension

/directory/*.file nameextension

Excludes any file with the named extension under the named directory.

Example: /lib/*.so

Excludes /lib/bar.so and /lib/foo/bar.so.
Absolute path with file name prefix

/directory/file nameprefix.*

Excludes any file with the named prefix under the named directory.

Example: /lib/libz.*

Excludes /lib/libz.so and /lib/libz.so.1. Also excludes /tmp/libz.foo/bar.so
Absolute path with directory name suffix

/directory/*.directorynamesuffix/

SPL: /directory/*.directorynamesuffix/*

Excludes any directory with the named suffix under the named path.

Example: /lib/*.so/

SPL example: /lib/*.so/*

Excludes /lib/foo.so/bar and /lib/foo/bar.so/baz
Absolute path with directory name prefix

/directory/directorynameprefix.*/

SPL: /directory/directorynameprefix.*/*

Excludes any directory with the named prefix under the named path.

Example: /lib/libz.*/

SPL example: /lib/libz.*/*

Excludes /lib/libz.so/foo and /lib/libz.so.1/bar.
Absolute path with character suffix

/directory/file.?

Excludes any file with the named file name and the named character suffix under the named directory.

Example: /var/log/syslog.?

Excludes /var/log/syslog.0 and /var/log/syslog.1. Doesn't exclude /var/log/syslog.10.
Wildcard path

/directory/*/file.name

Excludes any file with the named file name that matches the named directory and wildcard pattern.

Example: /home/*/eicar.com

Examples

Here are some examples of exclusion expressions.

Expression Items that are excluded
*/data/report A file named report in a directory named data in any location
*.txt Any file whose name ends in .txt in any location
/mnt/hgfs/data/*.txt Any file whose name ends in .txt in the directory named /mnt/hgfs/data/
*/report??2020 Any file whose name begins with report followed by two characters and ends with 2020 in any location
*/report20??/* Any directory in any location whose name begins with report20 and ends with two characters, and all directories and files below it in the filesystem

Command line exclusions

You can use the exclusions shown in this table on the command line.

These exclusions are all relative to the current working directory.

Type Exclusion

File in current directory.

./file.name

Excludes the named file in the current directory.

./eicar.com

$PWD/eicar.com

For example this maps to /home/pair/eicar.com.

Sub-directory of the current working directory

./directory

Excludes the named sub-directory.

./foo/

$PWD/foo/

Path to file from the current working directory

./directory/file.name

Excludes the named file on the named path only.

/.foo/eicar.com

$PWD/foo/eicar.com

Relative path from current working directory

../directory/

Excludes the named directory

../foo/

$PWD/../foo

For example this maps to /home/pair/../foo.

More resources