This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos exclusions for Microsoft Endpoint Configuration Manager?

Is there anything special that needs to be done for Configuration Manager to work with Intercept-X? Some (not all and it changes A LOT) computers aren't seeing deployments in Software Center. Some computers will see 5 one day then all the next. Some will see them all one day and then see 5 less the next. It isn't consistent and Microsoft hasn't been any help. I would remove Sophos and test but I can't get it to consistently fail. I have %WINDIR%\CCM and %WINDIR%\CCMCACHE in Global Exclusions (Sophos Central - Global Settings - Global Exclusions) for Real-time and scheduled. Is there anything else that needs to be done? Does anyone have any suggestions that I might try?



This thread was automatically locked due to age.
Parents
  • Are there logs to see what was block, what was scanned and what Sophos 'touched'?

  • By making the following change in the registry you can enable verbose logging. Another option for seeing what is being scanned in real-time is to use ProcessMonitor, then to isolate Sophos File Scanner as the main process you wish to monitor. 

    • Access the following registry key:

      HKLM\SOFTWARE\Sophos\Sophos File Scanner\Application
       
    • Create the following value:

      "LogLevel"=dword:00000004
       
    • Restart the Sophos File Scanner Service.

    That said, files will still need to be touched on the drive for the scanner to know if the files are on the white list or if the files need to be scanned normally. 

    You can also find some information on real-time scanning in the SSP Logs located in "C:\ProgramData\Sophos\Endpoint Defense\Logs\SSP.log". For this component you can turn on debug logging from the Endpoint Self Help Tool.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • By making the following change in the registry you can enable verbose logging. Another option for seeing what is being scanned in real-time is to use ProcessMonitor, then to isolate Sophos File Scanner as the main process you wish to monitor. 

    • Access the following registry key:

      HKLM\SOFTWARE\Sophos\Sophos File Scanner\Application
       
    • Create the following value:

      "LogLevel"=dword:00000004
       
    • Restart the Sophos File Scanner Service.

    That said, files will still need to be touched on the drive for the scanner to know if the files are on the white list or if the files need to be scanned normally. 

    You can also find some information on real-time scanning in the SSP Logs located in "C:\ProgramData\Sophos\Endpoint Defense\Logs\SSP.log". For this component you can turn on debug logging from the Endpoint Self Help Tool.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children