This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What version of Sophos contains sophosinterceptxcli.exe? I have to scan a single file.

Hello! New to this forum.

We have the Sophos Agent here on all of our servers. I need to use the agent to scan a single file on the CLI and output whether or not it is infected. I need to do this in C# that's why I was looking for the CLI app. But I don't see sophosinterceptxcli.exe installed. What version of sophos does it come with?



This thread was automatically locked due to age.
Parents Reply Children
  • I was thinking, you could leverage the real-time scanning to scan (if needed, due to caching) PE files. E.g. call CreateFileW to get a handle to the file you want to scan, then call: CreateFileMappingW, e.g.

    CreateFileMappingW(hFile,
    NULL,
    PAGE_EXECUTE_READ,
    0,
    0, NULL)

    If it comes back with INVALID_HANDLE_VALUE and GLE is presumably access denied (error 5) then you could assume it's been blocked given the first CreateFileW was OK. I guess something could happen between but unlikely.  The event log or ssp.log could be checked.

    For reference, with Information level logging enabled for SFS in Endpoint Self Help you can see what is being scanned, for example:

    Get-Content $env:programdata"\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log" -wait -tail
     1 | % { if ($_ -match 'I End ScanDispatcher Request - File: (.*?),.*?Total Scan Time: (\d+\.\d+) seconds.' -and $_ -not
    match '\\Sophos File Scanner\\Logs\\SophosFileScanner.log'){if ($matches[1] -and $matches[2]){ $_.SubString(0,24) +","+$
    matches[2] +","+ $matches[1]}}}

    The SSPService caches what has been scanned before given the same data and if the file hasn't changed so you will not see a scan request for each time it's run if it's already been scanned.

    If you stop the "Sophos System Protection Service" service, delete "C:\ProgramData\Sophos\Endpoint Defense\Data\Buckets\AllowDecisionCache" and start the service again, this will clear the cache.  This is really just for info. Not scanning it if not needed would be a good optimization.  This caching only applies for local files.

    Maybe interesting if not useful :)