Thread Info
  • State Verified Answer
  • Replies 5 replies
  • Subscribers 14 subscribers
  • Views 1377 views
  • Users 0 members are here
Options
Suggested

What version of Sophos contains sophosinterceptxcli.exe? I have to scan a single file.

Michael Leonetti

Hello! New to this forum.

We have the Sophos Agent here on all of our servers. I need to use the agent to scan a single file on the CLI and output whether or not it is infected. I need to do this in C# that's why I was looking for the CLI app. But I don't see sophosinterceptxcli.exe installed. What version of sophos does it come with?



Added tags
[edited by: Gladys at 10:34 AM (GMT -8) on 5 Mar 2024]
Parents
  • 0

    Is the file you are scanning a PE file or is this some sort of file upload scan task, so could be anything?

  • 0 in reply to Sophos User930

    I was thinking, you could leverage the real-time scanning to scan (if needed, due to caching) PE files. E.g. call CreateFileW to get a handle to the file you want to scan, then call: CreateFileMappingW, e.g.

    CreateFileMappingW(hFile,
    NULL,
    PAGE_EXECUTE_READ,
    0,
    0, NULL)

    If it comes back with INVALID_HANDLE_VALUE and GLE is presumably access denied (error 5) then you could assume it's been blocked given the first CreateFileW was OK. I guess something could happen between but unlikely.  The event log or ssp.log could be checked.

    For reference, with Information level logging enabled for SFS in Endpoint Self Help you can see what is being scanned, for example:

    Get-Content $env:programdata"\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log" -wait -tail
 1 | % { if ($_ -match 'I End ScanDispatcher Request - File: (.*?),.*?Total Scan Time: (\d+\.\d+) seconds.' -and $_ -not
match '\\Sophos File Scanner\\Logs\\SophosFileScanner.log'){if ($matches[1] -and $matches[2]){ $_.SubString(0,24) +","+$
matches[2] +","+ $matches[1]}}}

    The SSPService caches what has been scanned before given the same data and if the file hasn't changed so you will not see a scan request for each time it's run if it's already been scanned.

    If you stop the "Sophos System Protection Service" service, delete "C:\ProgramData\Sophos\Endpoint Defense\Data\Buckets\AllowDecisionCache" and start the service again, this will clear the cache.  This is really just for info. Not scanning it if not needed would be a good optimization.  This caching only applies for local files.

    Maybe interesting if not useful :) 

Reply
  • 0 in reply to Sophos User930

    I was thinking, you could leverage the real-time scanning to scan (if needed, due to caching) PE files. E.g. call CreateFileW to get a handle to the file you want to scan, then call: CreateFileMappingW, e.g.

    CreateFileMappingW(hFile,
    NULL,
    PAGE_EXECUTE_READ,
    0,
    0, NULL)

    If it comes back with INVALID_HANDLE_VALUE and GLE is presumably access denied (error 5) then you could assume it's been blocked given the first CreateFileW was OK. I guess something could happen between but unlikely.  The event log or ssp.log could be checked.

    For reference, with Information level logging enabled for SFS in Endpoint Self Help you can see what is being scanned, for example:

    Get-Content $env:programdata"\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log" -wait -tail
 1 | % { if ($_ -match 'I End ScanDispatcher Request - File: (.*?),.*?Total Scan Time: (\d+\.\d+) seconds.' -and $_ -not
match '\\Sophos File Scanner\\Logs\\SophosFileScanner.log'){if ($matches[1] -and $matches[2]){ $_.SubString(0,24) +","+$
matches[2] +","+ $matches[1]}}}

    The SSPService caches what has been scanned before given the same data and if the file hasn't changed so you will not see a scan request for each time it's run if it's already been scanned.

    If you stop the "Sophos System Protection Service" service, delete "C:\ProgramData\Sophos\Endpoint Defense\Data\Buckets\AllowDecisionCache" and start the service again, this will clear the cache.  This is really just for info. Not scanning it if not needed would be a good optimization.  This caching only applies for local files.

    Maybe interesting if not useful :) 

Children
No Data
Unfiltered HTML