This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Delete the file from Volume shadow copy detected by Sophos

I came across one scenario where I downloaded phishing email as .msg extension but Sophos did not allow to download completely which is very good. So, I stopped the Sophos service and downloaded the .msg file for the investigation to know if it's spam or phishing email. Analysis is done and contains the doc in the email which is bad/virus. After that I deleted the file from my machine and the very next day, the same file started detecting in volume shadow copy under "temporary internet files".

Worked with Sophos support and tried many times to delete completely by purging the "volume shadow copies" but no use. Later on I disabled "system protection" used to create the shadow copies but still it's detecting under same path. Sophos suggested that to reach out to Microsoft for which I thought to do some testing by myself.

As its still detecting after turning off "Volume Shadow Copy" understood that backup tool being used in our organization is synchronizing and triggering the detections in Sophos. That means copy of the file was backed up when I downloaded and then checked the backup logs, I can see the entry after Sophos services stopped and performed a backup but no event by Sophos since its stopped. And the log also says that cannot access the file to backup.

I understood that file is not exist and backed up when downloaded. Started sync up every time when backup occurs and Sophos catch that file and triggers an event.

Finally I uninstalled and re-installed backup tool to get rid of the issue. I know many of us would have seen this behaviour and thought would be helpful to stop the detections by Sophos.



This thread was automatically locked due to age.