Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 12 subscribers
  • Views 261 views
  • Users 0 members are here
Options
Suggested

Difference between Sophosfilescanner.exe and SophosFS.exe process

Sujit Jha1

I wanted to understand the Difference between Sophosfilescanner.exe and SophosFS.exe process, are they same in functionality ?

Is SophosFileScanner.exe have the role of SAVservice.exe which has been removed recently after Core agent update 2.20.11 ?

Please guide.

Regards,
Sujit Jha



Edited TAGs
[edited by: Qoosh at 11:37 PM (GMT -7) on 4 Jul 2022]
Parents
  • +1

    SophosFS.exe is the Windows service:

    which spawns the host and worker Sophosfilescanner.exe processes.  The worker loads the data and performs the scanning.  

    The command line of the worker:

    "C:\Program Files\Sophos\Sophos File Scanner\SophosFileScanner.exe"

    --worker
    --engine-path "C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\16530583345316758"
    --data-path "C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\16566165822853136"
    --pipe-name pid=14000:133010903447290325
    --log-file "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log"
    --log-level 0
    --amsi-thread-count 1
    --amsi-queue-size 512
    --ml-scan-path "C:\Program Files\Sophos\Sophos ML Engine\ML1\scan\16525662898487325"
    --ml-telemetry-path "C:\Program Files\Sophos\Sophos ML Engine\ML1\telemetry\16547847322036918"
    --scan-dispatcher-config-path "C:\ProgramData\Sophos\Sophos File Scanner\Drop\scan_dispatcher_config_16565699311143992.json"

    So you can see references to the engine and data which is the "SSE64" component:
    C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\16566165822853136

    and references to the ML engine data provided by the "sme64" component
    "C:\Program Files\Sophos\Sophos ML Engine\ML1\scan\16525662898487325"

    SAVService.exe did used to load the virus data and engine, now the worker process loads the data and engine and ML model.

Reply
  • +1

    SophosFS.exe is the Windows service:

    which spawns the host and worker Sophosfilescanner.exe processes.  The worker loads the data and performs the scanning.  

    The command line of the worker:

    "C:\Program Files\Sophos\Sophos File Scanner\SophosFileScanner.exe"

    --worker
    --engine-path "C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\16530583345316758"
    --data-path "C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\16566165822853136"
    --pipe-name pid=14000:133010903447290325
    --log-file "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log"
    --log-level 0
    --amsi-thread-count 1
    --amsi-queue-size 512
    --ml-scan-path "C:\Program Files\Sophos\Sophos ML Engine\ML1\scan\16525662898487325"
    --ml-telemetry-path "C:\Program Files\Sophos\Sophos ML Engine\ML1\telemetry\16547847322036918"
    --scan-dispatcher-config-path "C:\ProgramData\Sophos\Sophos File Scanner\Drop\scan_dispatcher_config_16565699311143992.json"

    So you can see references to the engine and data which is the "SSE64" component:
    C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\16566165822853136

    and references to the ML engine data provided by the "sme64" component
    "C:\Program Files\Sophos\Sophos ML Engine\ML1\scan\16525662898487325"

    SAVService.exe did used to load the virus data and engine, now the worker process loads the data and engine and ML model.

Children
No Data
Unfiltered HTML