Sophos endpoint stopping multiple pdf creations

hi,

We have recently installed endpoint on a site but we have a user who does payroll and sophos is blocking when they export / create multiple pdfs in one go.

A couple work then it comes up with an error saying the process cant complete as the xxxx .pdf file is in use.

Turning off real time scanning allowed the process to complete fine but obviously we don't want to do that permanently.

We have tried exclusions on the process and on the folder but that hasnt helped.

This is for the essentials version of endpoint so there isn't an option to lock the exclusions down to just 1 user / device.



Added TAGs
[edited by: Qoosh at 11:31 PM (GMT -8) on 2 Dec 2021]
  • is there nothing logged in sophos central for the device where they create the pdf?  looking on the client is a waste of time.

    Probably some exploit mitigation has stopped the process there - this would require an extra exception like this on the Policy for

    Threat Protection 

  • @LHerzog, I wouldn't go directly to an exclusion like that. 

    First we need a bit more information on this PE they are using. 

    • Is this PE from Microsoft?
      • such as Word or Excel?
    • If not, how is it generating the PDFs - are they new files or is it modifying existing files
      • another point, how is it using the File Handle when it calls the file?
        • If it is creating the file, dropping the handle, then opening the file for write actions - that could cause this sort of behaviour
      • How long is the timeout in the application for write calls? 
        • In other words, what buffer does it have before it gives up?

    There are more questions to narrow this down, but let's start with these

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi,  

    Its a bespoke payroll software that's been created by a local company.   It looks like its creating new PDFs rather than modifying.

    We have asked the company that made the software are they aware of anything.  So I will pass on those other questions.

    Cheers