Sophos Intercept X - OnDemand Scanner Jumps to different Drive

Hello there again, 

I've just noticed a realy strange behaivior while using the OnDemand Scanner (right-click -> Scan with Sophos)
I wanted to scan a mounted Image which was taken as a backup from a different client. 
When i try to scan the whole mounted volume (e.g. F:, which was C: on the original Client) the scanner very quickly jumps back to the C: volume.

Is this some kind of hidden feature?
Or does the Intercept X client follow any symlink-ish files or so?

I've boiled it down and noticed this only happens when i'm scanning the F:\Users directory. 
Any other Directory that i scan on that volume seems to work. 

Greetings 
Lukas 

  • Hi Lukas,

    Thanks for reaching out to us. 

    I recommend opening a support case with our team so we can look into this issue further. As an initial step please gather a ProcessMonitor log while replicating this issue, followed by an SDU log.

    I have reached out to you via PM to help progress the investigation. 

    Kushal Lakhan
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • It might be worth checking if in the reg value OnDemandExcludeFilePaths under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EndpointDefense\PolicyConfiguration

    If there is anything that conflicts?

    Maybe try copying the values out, clearing the reg key and retrying the scan as a test.

    Tamper will need to be disabled of course.

  • Hey, 

    I have just tested this, unfortunately still does not work.

  • What about, if you set the DWORD reg value "LogLevel" under "HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EndpointDefense\LocalConfiguration" to 0

    Then right click scan:



    The log file:

    C:\ProgramData\Sophos\Sophos UI\Logs\SophosScanCoordinator.log

    Will then have Debug logging.  Can you share the file?

    I would remove the LogLevel DWORD or rename it.  If you leave it there and the SSP Service restarts that will enable Debug logging on that which will slow the computer down.

    Thanks.

  • Hey, 

    thanks for the tip!
    Now it won't even start the Scan... Sweat smile
    Here is the Log.

    2022-05-09T08:29:08.040Z [ 3084:17500] D Received: {"type":7,"message":{"version":1,"paths":["E:\\"]},"version":1}
    2022-05-09T08:29:08.040Z [ 3084:17500] D + ScanCoordinator::MessageHandler::Handle()
    2022-05-09T08:29:08.040Z [ 3084:17500] D Handle 'StartScan'
    2022-05-09T08:29:08.040Z [ 3084:17500] D Setting 'receivedStart_' to true
    2022-05-09T08:29:08.040Z [ 3084:17500] D + EndpointDefenseIpc::AsyncCommsMessageSender::PostBinaryMessageToComponentId()
    2022-05-09T08:29:08.040Z [ 3084:17500] D Posting message: {"message":{"instance_id":3084,"version":1},"type":10,"version":1}
    2022-05-09T08:29:08.040Z [ 3084:17500] D - EndpointDefenseIpc::AsyncCommsMessageSender::PostBinaryMessageToComponentId()
    2022-05-09T08:29:08.040Z [ 3084:17500] D - ScanCoordinator::MessageHandler::Handle()
    2022-05-09T08:29:08.040Z [ 3084:17500] D - ScanCoordinator::BinaryRequestHandler::Handle()
    2022-05-09T08:29:08.040Z [ 3084:14496] D + ScanCoordinator::ScanProcessCoordinator::StartCountingFiles()
    2022-05-09T08:29:08.041Z [ 3084:14496] D - ScanCoordinator::ScanProcessCoordinator::StartCountingFiles()
    2022-05-09T08:29:08.041Z [ 3084:14496] D + ScanCoordinator::ScanProcessCoordinator::StartMemoryScan()
    2022-05-09T08:29:08.041Z [ 3084:14496] D - ScanCoordinator::ScanProcessCoordinator::StartMemoryScan()
    2022-05-09T08:29:08.041Z [ 3084:14496] D + ScanCoordinator::ScanProcessCoordinator::StartMBRScan()
    2022-05-09T08:29:08.041Z [ 3084:14496] D - ScanCoordinator::ScanProcessCoordinator::StartMBRScan()
    2022-05-09T08:29:08.041Z [ 3084:14496] D + ScanCoordinator::ScanProcessCoordinator::StartRootKitScan()
    2022-05-09T08:29:08.041Z [ 3084:14496] D - ScanCoordinator::ScanProcessCoordinator::StartRootKitScan()
    2022-05-09T08:29:08.041Z [ 3084:14496] D + ScanCoordinator::ScanProcessCoordinator::DoFileSystemScan()
    2022-05-09T08:29:08.041Z [ 3084:14496] I Starting file scan.
    2022-05-09T08:29:08.042Z [ 3084:15656] D + ScanCoordinator::FileCounter::WorkerFunction()
    2022-05-09T08:29:08.042Z [ 3084:15088] D Next path E:\
    2022-05-09T08:29:08.043Z [ 3084:15656] D Error counting path: E:\(GetFinalPathNameByHandle failed: error 50)
    2022-05-09T08:29:08.043Z [ 3084:15656] I Finished counting files. Total files counted: 0
    2022-05-09T08:29:08.043Z [ 3084:15656] D - ScanCoordinator::FileCounter::WorkerFunction()
    2022-05-09T08:29:08.043Z [ 3084:15088] E Error walking path: E:\(GetFinalPathNameByHandle failed: error 50)
    2022-05-09T08:29:08.043Z [ 3084:15088] I File scan work item has ended.
    2022-05-09T08:29:08.043Z [ 3084:14496] I Finished File scan in 0 seconds
    2022-05-09T08:29:08.043Z [ 3084:14496] D - ScanCoordinator::ScanProcessCoordinator::DoFileSystemScan()
    2022-05-09T08:29:09.051Z [ 3084:17500] D + ScanCoordinator::BinaryRequestHandler::Handle()
    2022-05-09T08:29:09.051Z [ 3084:17500] D Received: {"type":8,"message":{"version":1,"verbose":false},"version":1}
    2022-05-09T08:29:09.051Z [ 3084:17500] D + ScanCoordinator::MessageHandler::Handle()
    2022-05-09T08:29:09.051Z [ 3084:17500] D Handle 'Progress'
    2022-05-09T08:29:09.051Z [ 3084:17500] D + ScanCoordinator::MessageHandlerBase::SendResponseMessage()
    2022-05-09T08:29:09.052Z [ 3084:17500] D Replying with message: {"message":{"detection_count":0,"inaccessible_count":0,"no_detection_count":0,"not_scanned":[{"location":"E:\\","reason":"GetFinalPathNameByHandle failed: error 50"}],"not_scanned_count":1,"version":1},"type":11,"version":1}
    2022-05-09T08:29:09.052Z [ 3084:17500] D - ScanCoordinator::MessageHandlerBase::SendResponseMessage()
    2022-05-09T08:29:09.052Z [ 3084:17500] D Setting 'sentResults_' to true
    2022-05-09T08:29:09.052Z [ 3084:17500] D - ScanCoordinator::MessageHandler::Handle()
    2022-05-09T08:29:09.052Z [ 3084:17500] D - ScanCoordinator::BinaryRequestHandler::Handle()
    2022-05-09T08:29:09.052Z [ 3084:14496] I 'Results' message sent.
    2022-05-09T08:29:09.052Z [ 3084:14496] I Sending 'Goodbye' message to SSP.
    2022-05-09T08:29:09.052Z [ 3084:14496] D + EndpointDefenseIpc::AsyncCommsMessageSender::PostBinaryMessageToComponentId()
    2022-05-09T08:29:09.052Z [ 3084:14496] D Posting message: {"message":{"instance_id":3084,"version":1},"type":6,"version":1}
    2022-05-09T08:29:09.052Z [ 3084:14496] D - EndpointDefenseIpc::AsyncCommsMessageSender::PostBinaryMessageToComponentId()
    2022-05-09T08:29:09.052Z [ 3084:14496] A Scan summary :
     * Objects scanned: 0
     * Objects not scanned: 1
     * Objects inaccessible: 0
     * Detections:

    I've already gave this log to Qoosh, who seem quite impressed by this error. WinkIf i get any update on this, i will share it with you. 


    For Context:

    The Mounted Drive is an Acronis Image with the file type .tibx.
    Further testing showed, that you can actualy enter the C: Drive from the Mounted drive via hidden Symlinks like for e.g.

    E:\Dokumente und Einstellungen\Scan_User (which means  "Documents and Settings") goes to C:\Users\Scan_User.

    Even more interesting, if i use the SophosSAVICLI to scan the drive, it also scans those symlinks but also comes back to scan the rest of the Drive.