Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 13 subscribers
  • Views 1196 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos disabled but still blocking files

jt86

I've whitelisted PSEXEC and I've disabled all the modules for Sophos Endpoint but PSEXEC is still being removed as its recognised as a PUA. I've created a policy to whitelist this app on Central but nothing is applying.

Anyone know how to get around this?



This thread was automatically locked due to age.
Parents
  • 0

    Could that be download reputation sending the file for scanning?

    If you open up Endpoint Self Help - Enable Debug logging for IOfficeAV:

    Relaunch the browser and reproduce the problem.  Then check:

    C:\ProgramData\Sophos\Endpoint Defense\Logs\Low\iofficeav.log

    What do you see in there?

  • 0 in reply to Sophos User930

    Here is what it see. It doesn't even have to be at download, it could be sitting there in a folder and it will be removed by Sophos. Here it says manual cleanup required but the file isn't there.

  • 0 in reply to jt86

    I also cannot download it again even with all of sophos disabled on that endpoint.

  • 0 in reply to jt86

    It says that a scheduled scan completed, that might explain the detections in the list view you are showing.

    The value of TaskInfo under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service\ScheduledTasks\SophosScheduledScan

    will detail the config of the scan if it exists.  You can also check

    C:\ProgramData\Sophos\Endpoint Defense\Logs\SophosScanCoordinator.log

Reply
  • 0 in reply to jt86

    It says that a scheduled scan completed, that might explain the detections in the list view you are showing.

    The value of TaskInfo under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service\ScheduledTasks\SophosScheduledScan

    will detail the config of the scan if it exists.  You can also check

    C:\ProgramData\Sophos\Endpoint Defense\Logs\SophosScanCoordinator.log

Children
No Data
Unfiltered HTML