Is there anything special that needs to be done for Configuration Manager to work with Intercept-X? Some (not all and it changes A LOT) computers aren't seeing deployments in Software Center. Some computers will see 5 one day then all the next. Some will see them all one day and then see 5 less the next. It isn't consistent and Microsoft hasn't been any help. I would remove Sophos and test but I can't get it to consistently fail. I have %WINDIR%\CCM and %WINDIR%\CCMCACHE in Global Exclusions (Sophos Central - Global Settings - Global Exclusions) for Real-time and scheduled. Is there anything else that needs to be done? Does anyone have any suggestions that I might try?
Are there logs to see what was block, what was scanned and what Sophos 'touched'?
By making the following change in the registry you can enable verbose logging. Another option for seeing what is being scanned in real-time is to use ProcessMonitor, then to isolate Sophos File Scanner as the main process you wish to monitor.
HKLM\SOFTWARE\Sophos\Sophos File Scanner\Application
That said, files will still need to be touched on the drive for the scanner to know if the files are on the white list or if the files need to be scanned normally.
You can also find some information on real-time scanning in the SSP Logs located in "C:\ProgramData\Sophos\Endpoint Defense\Logs\SSP.log". For this component you can turn on debug logging from the Endpoint Self Help Tool.
So even though c:\Windows\CCM is whitelisted, if something is added to a subdirectory in c:\windows\ccm it will still touch the file?
That's correct. All files will still be touched, but not all will be scanned if some are excluded. If you have a folder exclusion, the files and folders in all sub-directories will be excluded from scanning.
You can test if exclusions are working correctly by using an eicar file.