This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What version of Sophos contains sophosinterceptxcli.exe? I have to scan a single file.

Hello! New to this forum.

We have the Sophos Agent here on all of our servers. I need to use the agent to scan a single file on the CLI and output whether or not it is infected. I need to do this in C# that's why I was looking for the CLI app. But I don't see sophosinterceptxcli.exe installed. What version of sophos does it come with?



This thread was automatically locked due to age.
  • Hello  ,

    Good day.

    Thank you for reaching out to the Sophos Community forum.

    SophosSAVICLI.exe was previously used for scanning files, which is now replaced by sophosinterceptxcli.exe tool. Click Here for more information about SophosSAVICLI.exe.

    sophosinterceptxcli.exe command-line tool introduced with Core Agent 2022.1.0.78 is installed automatically when you install Sophos Endpoint. This tool is installed in Program Files/Sophos/Endpoint Defense. You can refer here for more information on it. 

    Yogalakshmi
    Sophos Digital Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thank you for the reply.

    My server core agent says it's version 2.20.12 but I don't see sophosinterceptxcli.exe. Is that because my version is too old or it's a different software suite?

    SophosSAVICLI.exe does not seem like it will scan a single file and output the results to the CLI based on the documentation so it does not seem like that would work for me. I could be wrong.

  • Hi  ,

    Yes, you're right. Core agent version 2.20.12 is the older one, which has already reached its end-of-life date; hence, you don't see sophosinterceptxcli.exe. On January 28, 2024, the certificate used by the previous SDDS2 update mechanism will expire, causing devices that update using SDDS2 to fail to update. You could follow the workaround mentioned in this article to update your device with the latest core agent, after which you could see sophosinterceptxcli.exe.

    Regarding your second query, I would like to highlight the point below, which is mentioned here

    Yogalakshmi
    Sophos Digital Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Is the file you are scanning a PE file or is this some sort of file upload scan task, so could be anything?

  • I was thinking, you could leverage the real-time scanning to scan (if needed, due to caching) PE files. E.g. call CreateFileW to get a handle to the file you want to scan, then call: CreateFileMappingW, e.g.

    CreateFileMappingW(hFile,
    NULL,
    PAGE_EXECUTE_READ,
    0,
    0, NULL)

    If it comes back with INVALID_HANDLE_VALUE and GLE is presumably access denied (error 5) then you could assume it's been blocked given the first CreateFileW was OK. I guess something could happen between but unlikely.  The event log or ssp.log could be checked.

    For reference, with Information level logging enabled for SFS in Endpoint Self Help you can see what is being scanned, for example:

    Get-Content $env:programdata"\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log" -wait -tail
     1 | % { if ($_ -match 'I End ScanDispatcher Request - File: (.*?),.*?Total Scan Time: (\d+\.\d+) seconds.' -and $_ -not
    match '\\Sophos File Scanner\\Logs\\SophosFileScanner.log'){if ($matches[1] -and $matches[2]){ $_.SubString(0,24) +","+$
    matches[2] +","+ $matches[1]}}}

    The SSPService caches what has been scanned before given the same data and if the file hasn't changed so you will not see a scan request for each time it's run if it's already been scanned.

    If you stop the "Sophos System Protection Service" service, delete "C:\ProgramData\Sophos\Endpoint Defense\Data\Buckets\AllowDecisionCache" and start the service again, this will clear the cache.  This is really just for info. Not scanning it if not needed would be a good optimization.  This caching only applies for local files.

    Maybe interesting if not useful :)