Sharing violations on SMB share, Office, tmp files when saving (file in use by someone else)

Users are working with Microsoft office files on SMB shares on windows servers.

When working inhouse all is fine. When they work remotely via Sophos SSL VPN Client, some users cannot save documents or excel sheets on the network shares because office brings a message that the file is already in use by someone else.

In the background you can see office creating random .tmp files in the location of the file on the share.

Also opening the files directly on the SMB share is super slow.

The same happens, when they create encrypted zip files with 7zip on the share. While creating the zip, it creates a .tmp file first on the share. The file zip cannot be created.

If they do it locally on the client computer and then copy the file to the SMB share, all is fine.

If we disable all Sophos Endpoint components, all is fine, too and the files can be opened and saved directly on the network share.

I have created an exception policy that worked for a few users, but not for all.

The exception has this syntax: \\servername\sharename\**\*.tmp, and should be correct.

In the C:\ProgramData\Sophos\Endpoint Defense\Logs\sed.log on the client, I can confirm, it applied the filter.

Any idea how to get rid of that problem? Or is that something that needs to be fixed by Sophos patterns?



Added tags
[edited by: Gladys at 5:02 AM (GMT -7) on 30 Oct 2023]
Parents Reply Children
  • need to check which component it is actually. the process is sophosfilescanner.exe

  • We have seen that disabling Sophos File protection fixes the issue and the files can be saved.

    We now also have confirmed, our Central exceptions work so far that we no longer see other applications are having handles to the tmp files except excel.exe and explorer.exe (in terms of an excel sheet).

    What I can see is Sophos SED logging access of tmp files in the logs while I can see in the same log, there exist exceptions.

    Line 1409: 2024-01-09T09:53:17.668Z SED FileScan Info Path: Loading exclusion: \\servera\shares\**\*.tmp
    	Line 1410: 2024-01-09T09:53:17.668Z SED FileScan Info Path: Loading exclusion: \\serverb\**\*.tmp
    	Line 1411: 2024-01-09T09:53:17.668Z SED FileScan Info Path: Loading exclusion: \\serverc\foldera\**\*.tmp
    	Line 1945: 2024-01-09T11:57:50.761Z SED Analytic Info SgEvalPostCreateEventV3: unable to get PE flag for \Device\Mup\domain-name.de\Shares\foldera\path\77497C52.tmp
    	Line 1946: 2024-01-09T11:57:50.773Z SED Analytic Info SgEvalPostCreateEventV3: unable to get PE flag for \Device\Mup\domain-name.de\Shares\foldera\path\77497C52.tmp
    	Line 2903: 2024-01-10T06:04:07.867Z SED FileScan Info Path: Loading exclusion: \\servera\shares\**\*.tmp
    	Line 2904: 2024-01-10T06:04:07.867Z SED FileScan Info Path: Loading exclusion: \\serverb\**\*.tmp
    	Line 2905: 2024-01-10T06:04:07.867Z SED FileScan Info Path: Loading exclusion: \\serverc\foldera\**\*.tmp
    	Line 3041: 2024-01-10T06:04:25.922Z SED FileScan Info Path: Loading exclusion: \\servera\shares\**\*.tmp
    	Line 3042: 2024-01-10T06:04:25.922Z SED FileScan Info Path: Loading exclusion: \\serverb\**\*.tmp
    	Line 3043: 2024-01-10T06:04:25.922Z SED FileScan Info Path: Loading exclusion: \\serverc\foldera\**\*.tmp
    	Line 3206: 2024-01-10T06:04:28.954Z SED FileScan Info Path: Loading exclusion: \\servera\shares\**\*.tmp
    	Line 3207: 2024-01-10T06:04:28.954Z SED FileScan Info Path: Loading exclusion: \\serverb\**\*.tmp
    	Line 3208: 2024-01-10T06:04:28.954Z SED FileScan Info Path: Loading exclusion: \\serverc\foldera\**\*.tmp
    	Line 3387: 2024-01-10T06:12:05.589Z SED FileScan Info Path: Loading exclusion: \\servera\shares\**\*.tmp
    	Line 3388: 2024-01-10T06:12:05.589Z SED FileScan Info Path: Loading exclusion: \\serverb\**\*.tmp
    	Line 3389: 2024-01-10T06:12:05.589Z SED FileScan Info Path: Loading exclusion: \\serverc\foldera\**\*.tmp
    	Line 4234: 2024-01-10T09:21:10.309Z SED Analytic Error SSP evaluation SendMessage returns 0x00000102 - Details: [OpenFile] SPID:[3004:133493407680795158] STID:[4724:133493407711231346] [\Device\Mup\serverb\foldera\path\path\2024\C1E38BC0.tmp]
    	Line 4278: 2024-01-10T09:23:09.380Z SED Analytic Error SSP evaluation SendMessage returns 0x00000102 - Details: [OpenFile] SPID:[3004:133493407680795158] STID:[8876:133493519763693273] [\Device\Mup\serverb\foldera\path\path\2024\EDF79977.tmp]
    	Line 4294: 2024-01-10T09:25:37.148Z SED Analytic Error SSP evaluation SendMessage returns 0x00000102 - Details: [OpenFile] SPID:[3004:133493407680795158] STID:[12924:133493506515497807] [\Device\Mup\serverb\foldera\path\B99BC709.tmp]
    	Line 5010: 2024-01-10T12:38:59.374Z SED Analytic Error SSP evaluation SendMessage returns 0x00000102 - Details: [OpenFile] SPID:[3004:133493407680795158] STID:[7368:133493636217045979] [\Device\Mup\serverb\foldera\path\path\2024\621A3E75.tmp]
    	Line 5011: 2024-01-10T12:39:19.363Z SED Analytic Error SSP evaluation SendMessage returns 0x00000102 - Details: [OpenFile] SPID:[3004:133493407680795158] STID:[5072:133493636252799772] [\Device\Mup\serverb\foldera\path\path\2024\165AED0.tmp]
    	Line 5050: 2024-01-10T12:45:02.912Z SED Analytic Error SSP evaluation SendMessage returns 0x00000102 - Details: [OpenFile] SPID:[3004:133493407680795158] STID:[14164:133493641942897013] [\Device\Mup\serverb\foldera\path\pathb\EF1AE3B6.tmp]
    	Line 5403: 2024-01-12T07:20:06.556Z SED FileScan Info Path: Loading exclusion: \\servera\shares\**\*.tmp
    	Line 5404: 2024-01-12T07:20:06.556Z SED FileScan Info Path: Loading exclusion: \\serverb\**\*.tmp
    	Line 5405: 2024-01-12T07:20:06.556Z SED FileScan Info Path: Loading exclusion: \\serverc\foldera\**\*.tmp
    	Line 5541: 2024-01-12T07:20:26.415Z SED FileScan Info Path: Loading exclusion: \\servera\shares\**\*.tmp
    	Line 5542: 2024-01-12T07:20:26.415Z SED FileScan Info Path: Loading exclusion: \\serverb\**\*.tmp

  • i have opened a case for that today.

    07183657

    We have seen that of computers with the same sophos policies one could save a office file on SMB and a second computer could not. the second computer had sophos filescanners accessing the tmp file even if in sed.log we could see the exception not to scan tmp was loaded.

  • Hello LHerzog,

    Can you please try to add an exclusion for *Zone.Identifier and see if this helps?

    Also, is the network share hosted on netapp?