Hello I can't find a way to easily monitor a folder on a mounted smb network share. For reasons not in the scope of this post it's not an option to install sophos on the actual file server. The host that would monitor the specific folder on this share is a macOS system. I guess the main question is if there's any option in endpoint to add a specific folder on a network share that it constantly keeps an eye on and scans every 10th minute or something? If not, are there any apple script or bash capabilities in endpoint for mac so that I can script it? Or any automator add-ons? If all above is answered with no, how have others dealt with this? Feels like something that should be an option. One "solution" I can think of is to create a script that runs a s a LaunchAgent on the host. This scripts runs an 'ls -alR $targetFolder' every 10th minute and hopefully that would trigger a scan if analyze network traffic is on? Have not tested this, just a theory... Ideas? Suggestions?

Best way to monitor a folder on an SMB network share?

LeChuck 22 days ago

Hello

I can't find a way to easily monitor a folder on a mounted smb network share. For reasons not in the scope of this post it's not an option to install sophos on the actual file server.

The host that would monitor the specific folder on this share is a macOS system.

I guess the main question is if there's any option in endpoint to add a specific folder on a network share that it constantly keeps an eye on and scans every 10th minute or something?
If not, are there any apple script or bash capabilities in endpoint for mac so that I can script it?
Or any automator add-ons?

If all above is answered with no, how have others dealt with this? Feels like something that should be an option.

One "solution" I can think of is to create a script that runs a s a LaunchAgent on the host. This scripts runs an 'ls -alR $targetFolder' every 10th minute and hopefully that would trigger a scan if analyze network traffic is on? Have not tested this, just a theory...

Ideas? Suggestions?

0 LeChuck 22 days ago

Checking top and fs_usage on that host while accessing files on that share and NAS, it seems like sophos actually doesn't scan any content/traffic to/from it.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Qoosh 21 days ago

Hi LeChuck,

Thanks for reaching out to the Sophos Community Forum.

The best option is to deploy Sophos onto the device where the storage resides, though I understand this is not possible in your scenario.

Are you able to provide any further details on how the SMB storage is being hosted on the network? This will help us suggest an appropriate solution in your specific use case.

I was not able to locate information on command-line options for scanning on MacOS but will follow up with you here if I'm able to find out more.
If you're able to deploy a Windows device or leverage an existing one on the environment, the following documentation may be of some assistance.
- Scan from the command line

Using sophosinterceptxcli.exe along with the SMB filepath as an argument may work. A scheduled task or script to run this automatically would also work, as you mentioned.

I'd suggest making note of the following KB article when proceeding with such a solution for SMB storage.
- Files may become locked on SMB network volumes

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LeChuck 21 days ago in reply to Qoosh

Hello

It's a multi petabyte storage hosted on setup with 5 different linux rhel servers. It serves gpfs for native clients and SMB for "network" clients.

Looked at the macOS installation dir of sophos and I cannot find anything similar to why you describe for windows. I will install it on a windows VM and see what that gives me.

What I find really interesting is that if I monitor the macOS system with 'top' from command line it doesn't seem like it scans anything on the share.

Doing this:

ls -alR /

shows that 'com.sophos.endpoint.scanextension' works and loads the cpu.

Doing this:

ls -alR /Volumes/smbshare/

Doesn't show any cpu load for com.sophos.endpoint.networkextension nor com.sophos.endpoint.networkextension

But the fact that you linked to the kb with smb lock issues indicated that it should scan files on the share. And since a simple ls -alR triggers it locally I would assume that it would trigger it on a SMB share as well.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LeChuck 21 days ago in reply to Qoosh

My other answer haven't been moderated yet, but posting another one.

So, from what I can see the windows command line scanner doesn't support network shares. Not sure why or what the problem is, it doesn't really give any output that's usable.

C:\Program Files\Sophos\Endpoint Defense>SophosInterceptXCLI.exe scan --noui --verbose P:\MISC\_SOFTWARE_INSTALLERS_

Scan summary:
Detections: 0
Clean files: 0
Unscanned files: 0
Inaccessible files: 1

C:\Program Files\Sophos\Endpoint Defense>

Works fine with local path though.

Scan summary:
Detections: 0
Clean files: 1003
Unscanned files: 0
Inaccessible files: 0

C:\Program Files\Sophos\Endpoint Defense>SophosInterceptXCLI.exe scan --noui --verbose "c:\Program Files"

Even a right click and Scan With Sophos endpoint on the network smb share shows "items scanned: 0", "files remaning: 0" in the GUI. So potentially broken?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel