Difference between Sophosfilescanner.exe and SophosFS.exe process

Hi Sujit,

Thanks for reaching out to the Sophos Community Forum. 

From what I can find in the logs, "SophosFileScanner.exe" will be the main On-Access scanner. This updated architecture will primarily use ML for the decision making process.

"SophosFS.exe" is meant to ensure that the scanning process remains up and running at all times. If you were to bypass Tamper Protection to kill "SophosFileScanner.exe" you will see in the logs for "SophosFS.exe" that it spawns a new process.

Let me know if this helps.

SophosFS.exe is the Windows service:

which spawns the host and worker Sophosfilescanner.exe processes.  The worker loads the data and performs the scanning.  

The command line of the worker:

"C:\Program Files\Sophos\Sophos File Scanner\SophosFileScanner.exe"

--worker
--engine-path "C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\16530583345316758"
--data-path "C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\16566165822853136"
--pipe-name pid=14000:133010903447290325
--log-file "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log"
--log-level 0
--amsi-thread-count 1
--amsi-queue-size 512
--ml-scan-path "C:\Program Files\Sophos\Sophos ML Engine\ML1\scan\16525662898487325"
--ml-telemetry-path "C:\Program Files\Sophos\Sophos ML Engine\ML1\telemetry\16547847322036918"
--scan-dispatcher-config-path "C:\ProgramData\Sophos\Sophos File Scanner\Drop\scan_dispatcher_config_16565699311143992.json"

So you can see references to the engine and data which is the "SSE64" component:
C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\16566165822853136

and references to the ML engine data provided by the "sme64" component
"C:\Program Files\Sophos\Sophos ML Engine\ML1\scan\16525662898487325"

SAVService.exe did used to load the virus data and engine, now the worker process loads the data and engine and ML model.