How to prevent SophosHome from blocking USB Drives or alternatively stop service to allow safe eject ?

Hello Simon,

there have been a few reports about Sophos allegedly blocking Eject, IIRC none of them with a closing report. To my knowledge Sophos doesn't block USB disks (and why should it?), at least some posts suggest that this happens when some additional removable device management software is involved. I'm working with all kinds of USB-connected devices (up to multi-volume HDDs) and I've never encountered this issue.
Can't say why the handle that SAVService holds isn't released but it's definitely not there to prevent Eject.

Sophos Home is deliberately designed to inhibit "manipulations" by a local admin.

Christian   

OK, so it's not supposed to happen. But since it does happen, what is the recommended way to suspend SH ?

Thank you,

Simon

Hello Simon,

it does happen
apparently, can't say what's the cause though. We're using Sophos for years on several thousand endpoints and I've never heard about this issue.

Stopping the service releases the handle - the handle is necessary that the service can receive DBT_DEVICEQUERYREMOVE messages. As I can't reproduce the problem it's not clear whether it returns BROADCAST_QUERY_DENY, fails to release the handle, or doesn't even get the message. As said there are some reports but AFAIK only from users of the free version (note that it is in this respect identical to the licensed ones) and in most cases in conjunction with some software for safe removal. It doesn't seem to be a recognized problem.

Suspending AV or even stopping a service has other consequences and is not necessary - the device can simply be unplugged (unless some other application is mentioned to block removal). 

Christian

Its Sep 2020 and the issue still seems to be happening. Was wondering if anybody found a resolution for this? From event viewer, it clearly shows that Sophos is blocking safe removal of the USB drive. Event viewer message "The application \Device\HarddiskVolume4\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe with process id 3532 stopped the removal or ejection for the device USB\VID_1F75&PID_0621\20180507."

Hello Sophos User3153,

as said, I suspect some other software to be involved (this is just an example but note the remarks under Besides).

Christian

Hi Christian,

thanks for your quick reply. Yes, there is one more entry showing in the event viewer as "The application System with process id 4 stopped the removal or ejection for the device USB\VID_1F75&PID_0621\20180507". This I believe is a common event when any third party app (in this case Sophos) is holding on to the external drive and prevents eject. So surely the culprit here should be Sophos.

Thanks & Regards

Arfath

Hello Arfath,

System with process id 4 stopped the removal [...] is normally not a common event when any third party app returns BROADCAST_QUERY_DENY. If an application can't release a drive you get just one event naming this application.

Normally Sophos is not holding on to the external drive. If it'd do this even only every 100th time I'd have heard - fifteen years, several thousand endpoints. I'm pretty sure it doesn't happen without a participating second (or fourth) party that's not a regular application but one that does some permissible low-level twiddling. Mind you, there's presumably not really a culprit. Fact is, two components simply don't go together.

Christian

Thank you. Well noted.