Last update: 2022-04-26

# Virtual server scanning exclusions

Virtual Server exclusions let you exclude items from scanning on Windows guest VMs that are protected by a Sophos security VM.

## Using scanning exclusions safely

Warning

Think carefully before you add scanning exclusions because doing so may reduce your protection.

You can exclude a drive, folder or file by full path, just as you can for other Windows computers.

However, there are restrictions on specifying items without a full path and also on the use of wildcards. See the details below and the examples.

For help on using exclusions see Using exclusions safely.

## Items without a full path

You can specify a file without a full path, for example file.com. You must include the extension. The security VM will exclude any file with this name.

You cannot specify folders without a full path.

## Wildcards

You can use wildcards when you set up scanning exclusions. Make your wildcards as specific as possible. It's risky to generalize the exclusion to cover more files and folders that you need to.

You can use the wildcards shown in this table.

### Example wildcards

Token Matches
* (Star) Zero or more of any character except \\ or /
** (Star Star) Zero or more characters including \\ and /, when bracketed by \\ or / characters or used at the start or end of an exclusion.

Any other use of a ** is treated as a single * and matches zero or more characters excluding \\ and /.

For example:

c:\foo\**\bar matches: c:\foo\bar, c:\foo\more\bar, c:\foo\even\more\bar

**\bar matches c:\foo\bar

c:\foo\** matches c:\foo\more\bar

\ (Backslash) Either \\ or /

Be careful if you use this wildcard to set up exclusions as it reduces your protection.

For example, if you set up an exclusion using just this wildcard it excludes everything in every folder from the root of the drive down.

We recommend that you don't use this wildcard by itself.

/ (Forward slash) Either / or \\

Be careful if you use this wildcard to set up exclusions as it reduces your protection.

For example, if you set up an exclusion using just this wildcard it excludes everything in every folder from the root of the drive down.

We recommend that you don't use this wildcard by itself.

? (Question mark) One single character. If it is at the end of a string it can match zero characters.
. (Period) A period OR the empty string at the end of a filename, if the pattern ends in a period and the filename does not have an extension.

Note that:

*. matches all files without an extension.

"foo." matches "foo" and "foo."

## Exclusions that work

The expressions shown in this table are valid for Virtual Server exclusions.

Exclusion Notes
D: Excludes the entire drive.

We recommend that you don't set up an exclusion for a whole drive. Exclude specific files or folders instead.

C:\programdata\adobe\photoshop\ Excludes the folder (you must include the final slash).
C:\program files\program\*.com Excludes files with a .com extension in the specified folder.
file.com Excludes files with this name in any location (full path not needed).
file.* Excludes all files called "file", with any extension, in all locations.
*.com Excludes all files with a .com extension in all locations.
*.* Excludes all files in all locations. We recommend that you don't use this exclusion. Exclude specific files or folders instead.
C:\file??.docx Excludes C:\file12.exe (but not C:\file123.exe).
Back to top