Difference between Sophosfilescanner.exe and SophosFS.exe process

I wanted to understand the Difference between Sophosfilescanner.exe and SophosFS.exe process, are they same in functionality ?

Is SophosFileScanner.exe have the role of SAVservice.exe which has been removed recently after Core agent update 2.20.11 ?

Please guide.

Regards,
Sujit Jha



Edited TAGs
[edited by: Qoosh at 11:37 PM (GMT -7) on 4 Jul 2022]
  • Hi Sujit,

    Thanks for reaching out to the Sophos Community Forum. 

    From what I can find in the logs, "SophosFileScanner.exe" will be the main On-Access scanner. This updated architecture will primarily use ML for the decision making process.

    "SophosFS.exe" is meant to ensure that the scanning process remains up and running at all times. If you were to bypass Tamper Protection to kill "SophosFileScanner.exe" you will see in the logs for "SophosFS.exe" that it spawns a new process.

    Let me know if this helps.

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • SophosFS.exe is the Windows service:

    which spawns the host and worker Sophosfilescanner.exe processes.  The worker loads the data and performs the scanning.  

    The command line of the worker:

    "C:\Program Files\Sophos\Sophos File Scanner\SophosFileScanner.exe"

    --worker
    --engine-path "C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\16530583345316758"
    --data-path "C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\16566165822853136"
    --pipe-name pid=14000:133010903447290325
    --log-file "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log"
    --log-level 0
    --amsi-thread-count 1
    --amsi-queue-size 512
    --ml-scan-path "C:\Program Files\Sophos\Sophos ML Engine\ML1\scan\16525662898487325"
    --ml-telemetry-path "C:\Program Files\Sophos\Sophos ML Engine\ML1\telemetry\16547847322036918"
    --scan-dispatcher-config-path "C:\ProgramData\Sophos\Sophos File Scanner\Drop\scan_dispatcher_config_16565699311143992.json"

    So you can see references to the engine and data which is the "SSE64" component:
    C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\16566165822853136

    and references to the ML engine data provided by the "sme64" component
    "C:\Program Files\Sophos\Sophos ML Engine\ML1\scan\16525662898487325"

    SAVService.exe did used to load the virus data and engine, now the worker process loads the data and engine and ML model.