Difference between Sophosfilescanner.exe and SophosFS.exe process

I wanted to understand the Difference between Sophosfilescanner.exe and SophosFS.exe process, are they same in functionality ?

Is SophosFileScanner.exe have the role of SAVservice.exe which has been removed recently after Core agent update 2.20.11 ?

Please guide.

Regards,
Sujit Jha



Edited TAGs
[edited by: Qoosh at 11:37 PM (GMT -7) on 4 Jul 2022]
Parents
  • SophosFS.exe is the Windows service:

    which spawns the host and worker Sophosfilescanner.exe processes.  The worker loads the data and performs the scanning.  

    The command line of the worker:

    "C:\Program Files\Sophos\Sophos File Scanner\SophosFileScanner.exe"

    --worker
    --engine-path "C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\16530583345316758"
    --data-path "C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\16566165822853136"
    --pipe-name pid=14000:133010903447290325
    --log-file "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log"
    --log-level 0
    --amsi-thread-count 1
    --amsi-queue-size 512
    --ml-scan-path "C:\Program Files\Sophos\Sophos ML Engine\ML1\scan\16525662898487325"
    --ml-telemetry-path "C:\Program Files\Sophos\Sophos ML Engine\ML1\telemetry\16547847322036918"
    --scan-dispatcher-config-path "C:\ProgramData\Sophos\Sophos File Scanner\Drop\scan_dispatcher_config_16565699311143992.json"

    So you can see references to the engine and data which is the "SSE64" component:
    C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\16566165822853136

    and references to the ML engine data provided by the "sme64" component
    "C:\Program Files\Sophos\Sophos ML Engine\ML1\scan\16525662898487325"

    SAVService.exe did used to load the virus data and engine, now the worker process loads the data and engine and ML model.

Reply
  • SophosFS.exe is the Windows service:

    which spawns the host and worker Sophosfilescanner.exe processes.  The worker loads the data and performs the scanning.  

    The command line of the worker:

    "C:\Program Files\Sophos\Sophos File Scanner\SophosFileScanner.exe"

    --worker
    --engine-path "C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\16530583345316758"
    --data-path "C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\16566165822853136"
    --pipe-name pid=14000:133010903447290325
    --log-file "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log"
    --log-level 0
    --amsi-thread-count 1
    --amsi-queue-size 512
    --ml-scan-path "C:\Program Files\Sophos\Sophos ML Engine\ML1\scan\16525662898487325"
    --ml-telemetry-path "C:\Program Files\Sophos\Sophos ML Engine\ML1\telemetry\16547847322036918"
    --scan-dispatcher-config-path "C:\ProgramData\Sophos\Sophos File Scanner\Drop\scan_dispatcher_config_16565699311143992.json"

    So you can see references to the engine and data which is the "SSE64" component:
    C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\16566165822853136

    and references to the ML engine data provided by the "sme64" component
    "C:\Program Files\Sophos\Sophos ML Engine\ML1\scan\16525662898487325"

    SAVService.exe did used to load the virus data and engine, now the worker process loads the data and engine and ML model.

Children
No Data