What version of Sophos contains sophosinterceptxcli.exe? I have to scan a single file.

Hello Michael Leonetti ,

Good day.

Thank you for reaching out to the Sophos Community forum.

SophosSAVICLI.exe was previously used for scanning files, which is now replaced by sophosinterceptxcli.exe tool. Click Here for more information about SophosSAVICLI.exe.

sophosinterceptxcli.exe command-line tool introduced with Core Agent 2022.1.0.78 is installed automatically when you install Sophos Endpoint. This tool is installed in Program Files/Sophos/Endpoint Defense. You can refer here for more information on it. 

Thank you for the reply.

My server core agent says it's version 2.20.12 but I don't see sophosinterceptxcli.exe. Is that because my version is too old or it's a different software suite?

SophosSAVICLI.exe does not seem like it will scan a single file and output the results to the CLI based on the documentation so it does not seem like that would work for me. I could be wrong.

Hi Michael Leonetti ,

Yes, you're right. Core agent version 2.20.12 is the older one, which has already reached its end-of-life date; hence, you don't see sophosinterceptxcli.exe. On January 28, 2024, the certificate used by the previous SDDS2 update mechanism will expire, causing devices that update using SDDS2 to fail to update. You could follow the workaround mentioned in this article to update your device with the latest core agent, after which you could see sophosinterceptxcli.exe.

Regarding your second query, I would like to highlight the point below, which is mentioned here. 

Is the file you are scanning a PE file or is this some sort of file upload scan task, so could be anything?

I was thinking, you could leverage the real-time scanning to scan (if needed, due to caching) PE files. E.g. call CreateFileW to get a handle to the file you want to scan, then call: CreateFileMappingW, e.g.

CreateFileMappingW(hFile,
NULL,
PAGE_EXECUTE_READ,
0,
0, NULL)

If it comes back with INVALID_HANDLE_VALUE and GLE is presumably access denied (error 5) then you could assume it's been blocked given the first CreateFileW was OK. I guess something could happen between but unlikely.  The event log or ssp.log could be checked.

For reference, with Information level logging enabled for SFS in Endpoint Self Help you can see what is being scanned, for example:

Get-Content $env:programdata"\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log" -wait -tail
 1 | % { if ($_ -match 'I End ScanDispatcher Request - File: (.*?),.*?Total Scan Time: (\d+\.\d+) seconds.' -and $_ -not
match '\\Sophos File Scanner\\Logs\\SophosFileScanner.log'){if ($matches[1] -and $matches[2]){ $_.SubString(0,24) +","+$
matches[2] +","+ $matches[1]}}}

The SSPService caches what has been scanned before given the same data and if the file hasn't changed so you will not see a scan request for each time it's run if it's already been scanned.

If you stop the "Sophos System Protection Service" service, delete "C:\ProgramData\Sophos\Endpoint Defense\Data\Buckets\AllowDecisionCache" and start the service again, this will clear the cache.  This is really just for info. Not scanning it if not needed would be a good optimization.  This caching only applies for local files.

Maybe interesting if not useful :)