This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Intercept X - OnDemand Scanner Jumps to different Drive

Hello there again,

I've just noticed a realy strange behaivior while using the OnDemand Scanner (right-click -> Scan with Sophos)
I wanted to scan a mounted Image which was taken as a backup from a different client.
When i try to scan the whole mounted volume (e.g. F:, which was C: on the original Client) the scanner very quickly jumps back to the C: volume.

Is this some kind of hidden feature?
Or does the Intercept X client follow any symlink-ish files or so?

I've boiled it down and noticed this only happens when i'm scanning the F:\Users directory.
Any other Directory that i scan on that volume seems to work.

Greetings
Lukas

This thread was automatically locked due to age.

Parents

0 Sophos User930 over 2 years ago

It might be worth checking if in the reg value OnDemandExcludeFilePaths under:

HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EndpointDefense\PolicyConfiguration

If there is anything that conflicts?

Maybe try copying the values out, clearing the reg key and retrying the scan as a test.

Tamper will need to be disabled of course.
Cancel
Vote Up 0 Vote Down

Cancel
0 Appa_Omega over 2 years ago in reply to Sophos User930

Hey,

I have just tested this, unfortunately still does not work.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User930 over 2 years ago in reply to Appa_Omega

What about, if you set the DWORD reg value "LogLevel" under "HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EndpointDefense\LocalConfiguration" to 0

Then right click scan:

The log file:

C:\ProgramData\Sophos\Sophos UI\Logs\SophosScanCoordinator.log

Will then have Debug logging. Can you share the file?

I would remove the LogLevel DWORD or rename it. If you leave it there and the SSP Service restarts that will enable Debug logging on that which will slow the computer down.

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel

0 Appa_Omega over 2 years ago in reply to Sophos User930

Hey,

thanks for the tip!
Now it won't even start the Scan...
Here is the Log.

2022-05-09T08:29:08.040Z [ 3084:17500] D Received: {"type":7,"message":{"version":1,"paths":["E:\\"]},"version":1}
2022-05-09T08:29:08.040Z [ 3084:17500] D + ScanCoordinator::MessageHandler::Handle()
2022-05-09T08:29:08.040Z [ 3084:17500] D Handle 'StartScan'
2022-05-09T08:29:08.040Z [ 3084:17500] D Setting 'receivedStart_' to true
2022-05-09T08:29:08.040Z [ 3084:17500] D + EndpointDefenseIpc::AsyncCommsMessageSender::PostBinaryMessageToComponentId()
2022-05-09T08:29:08.040Z [ 3084:17500] D Posting message: {"message":{"instance_id":3084,"version":1},"type":10,"version":1}
2022-05-09T08:29:08.040Z [ 3084:17500] D - EndpointDefenseIpc::AsyncCommsMessageSender::PostBinaryMessageToComponentId()
2022-05-09T08:29:08.040Z [ 3084:17500] D - ScanCoordinator::MessageHandler::Handle()
2022-05-09T08:29:08.040Z [ 3084:17500] D - ScanCoordinator::BinaryRequestHandler::Handle()
2022-05-09T08:29:08.040Z [ 3084:14496] D + ScanCoordinator::ScanProcessCoordinator::StartCountingFiles()
2022-05-09T08:29:08.041Z [ 3084:14496] D - ScanCoordinator::ScanProcessCoordinator::StartCountingFiles()
2022-05-09T08:29:08.041Z [ 3084:14496] D + ScanCoordinator::ScanProcessCoordinator::StartMemoryScan()
2022-05-09T08:29:08.041Z [ 3084:14496] D - ScanCoordinator::ScanProcessCoordinator::StartMemoryScan()
2022-05-09T08:29:08.041Z [ 3084:14496] D + ScanCoordinator::ScanProcessCoordinator::StartMBRScan()
2022-05-09T08:29:08.041Z [ 3084:14496] D - ScanCoordinator::ScanProcessCoordinator::StartMBRScan()
2022-05-09T08:29:08.041Z [ 3084:14496] D + ScanCoordinator::ScanProcessCoordinator::StartRootKitScan()
2022-05-09T08:29:08.041Z [ 3084:14496] D - ScanCoordinator::ScanProcessCoordinator::StartRootKitScan()
2022-05-09T08:29:08.041Z [ 3084:14496] D + ScanCoordinator::ScanProcessCoordinator::DoFileSystemScan()
2022-05-09T08:29:08.041Z [ 3084:14496] I Starting file scan.
2022-05-09T08:29:08.042Z [ 3084:15656] D + ScanCoordinator::FileCounter::WorkerFunction()
2022-05-09T08:29:08.042Z [ 3084:15088] D Next path E:\
2022-05-09T08:29:08.043Z [ 3084:15656] D Error counting path: E:\(GetFinalPathNameByHandle failed: error 50)
2022-05-09T08:29:08.043Z [ 3084:15656] I Finished counting files. Total files counted: 0
2022-05-09T08:29:08.043Z [ 3084:15656] D - ScanCoordinator::FileCounter::WorkerFunction()
2022-05-09T08:29:08.043Z [ 3084:15088] E Error walking path: E:\(GetFinalPathNameByHandle failed: error 50)
2022-05-09T08:29:08.043Z [ 3084:15088] I File scan work item has ended.
2022-05-09T08:29:08.043Z [ 3084:14496] I Finished File scan in 0 seconds
2022-05-09T08:29:08.043Z [ 3084:14496] D - ScanCoordinator::ScanProcessCoordinator::DoFileSystemScan()
2022-05-09T08:29:09.051Z [ 3084:17500] D + ScanCoordinator::BinaryRequestHandler::Handle()
2022-05-09T08:29:09.051Z [ 3084:17500] D Received: {"type":8,"message":{"version":1,"verbose":false},"version":1}
2022-05-09T08:29:09.051Z [ 3084:17500] D + ScanCoordinator::MessageHandler::Handle()
2022-05-09T08:29:09.051Z [ 3084:17500] D Handle 'Progress'
2022-05-09T08:29:09.051Z [ 3084:17500] D + ScanCoordinator::MessageHandlerBase::SendResponseMessage()
2022-05-09T08:29:09.052Z [ 3084:17500] D Replying with message: {"message":{"detection_count":0,"inaccessible_count":0,"no_detection_count":0,"not_scanned":[{"location":"E:\\","reason":"GetFinalPathNameByHandle failed: error 50"}],"not_scanned_count":1,"version":1},"type":11,"version":1}
2022-05-09T08:29:09.052Z [ 3084:17500] D - ScanCoordinator::MessageHandlerBase::SendResponseMessage()
2022-05-09T08:29:09.052Z [ 3084:17500] D Setting 'sentResults_' to true
2022-05-09T08:29:09.052Z [ 3084:17500] D - ScanCoordinator::MessageHandler::Handle()
2022-05-09T08:29:09.052Z [ 3084:17500] D - ScanCoordinator::BinaryRequestHandler::Handle()
2022-05-09T08:29:09.052Z [ 3084:14496] I 'Results' message sent.
2022-05-09T08:29:09.052Z [ 3084:14496] I Sending 'Goodbye' message to SSP.
2022-05-09T08:29:09.052Z [ 3084:14496] D + EndpointDefenseIpc::AsyncCommsMessageSender::PostBinaryMessageToComponentId()
2022-05-09T08:29:09.052Z [ 3084:14496] D Posting message: {"message":{"instance_id":3084,"version":1},"type":6,"version":1}
2022-05-09T08:29:09.052Z [ 3084:14496] D - EndpointDefenseIpc::AsyncCommsMessageSender::PostBinaryMessageToComponentId()
2022-05-09T08:29:09.052Z [ 3084:14496] A Scan summary :
 * Objects scanned: 0
 * Objects not scanned: 1
 * Objects inaccessible: 0
 * Detections:

I've already gave this log to Qoosh, who seem quite impressed by this error. If i get any update on this, i will share it with you.

For Context:

The Mounted Drive is an Acronis Image with the file type .tibx.
Further testing showed, that you can actualy enter the C: Drive from the Mounted drive via hidden Symlinks like for e.g.

E:\Dokumente und Einstellungen\Scan_User (which means "Documents and Settings") goes to C:\Users\Scan_User.

Even more interesting, if i use the SophosSAVICLI to scan the drive, it also scans those symlinks but also comes back to scan the rest of the Drive.

Reply