Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos disabled but still blocking files

I've whitelisted PSEXEC and I've disabled all the modules for Sophos Endpoint but PSEXEC is still being removed as its recognised as a PUA. I've created a policy to whitelist this app on Central but nothing is applying.

Anyone know how to get around this?



This thread was automatically locked due to age.
  • Hi jt86,

    Could you share a screenshot of the detection that was raised in Sophos Central, as well as the type of exclusion you've created to white-list this? 

    In some cases, rebooting your device after a detection has been raised may help. I'd suggest trying this, then disabling the scanning components to retry the download.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Could that be download reputation sending the file for scanning?

    If you open up Endpoint Self Help - Enable Debug logging for IOfficeAV:

    Relaunch the browser and reproduce the problem.  Then check:

    C:\ProgramData\Sophos\Endpoint Defense\Logs\Low\iofficeav.log

    What do you see in there?

  • Here is what it see. It doesn't even have to be at download, it could be sitting there in a folder and it will be removed by Sophos. Here it says manual cleanup required but the file isn't there.

  • I also cannot download it again even with all of sophos disabled on that endpoint.

  • It says that a scheduled scan completed, that might explain the detections in the list view you are showing.

    The value of TaskInfo under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service\ScheduledTasks\SophosScheduledScan

    will detail the config of the scan if it exists.  You can also check

    C:\ProgramData\Sophos\Endpoint Defense\Logs\SophosScanCoordinator.log