This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos disabled but still blocking files

I've whitelisted PSEXEC and I've disabled all the modules for Sophos Endpoint but PSEXEC is still being removed as its recognised as a PUA. I've created a policy to whitelist this app on Central but nothing is applying.

Anyone know how to get around this?



This thread was automatically locked due to age.
Parents
  • Could that be download reputation sending the file for scanning?

    If you open up Endpoint Self Help - Enable Debug logging for IOfficeAV:

    Relaunch the browser and reproduce the problem.  Then check:

    C:\ProgramData\Sophos\Endpoint Defense\Logs\Low\iofficeav.log

    What do you see in there?

  • Here is what it see. It doesn't even have to be at download, it could be sitting there in a folder and it will be removed by Sophos. Here it says manual cleanup required but the file isn't there.

  • I also cannot download it again even with all of sophos disabled on that endpoint.

  • It says that a scheduled scan completed, that might explain the detections in the list view you are showing.

    The value of TaskInfo under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service\ScheduledTasks\SophosScheduledScan

    will detail the config of the scan if it exists.  You can also check

    C:\ProgramData\Sophos\Endpoint Defense\Logs\SophosScanCoordinator.log

Reply
  • It says that a scheduled scan completed, that might explain the detections in the list view you are showing.

    The value of TaskInfo under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service\ScheduledTasks\SophosScheduledScan

    will detail the config of the scan if it exists.  You can also check

    C:\ProgramData\Sophos\Endpoint Defense\Logs\SophosScanCoordinator.log

Children
No Data