Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 17 subscribers
  • Views 14333 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Security and Control conflict with Microsoft Office on Windows file server (SMB version 2 (or newer))

K_M

Thought I would throw this out there as an FYI for other users:

We have a Windows 2012 R2 file server with various Excel/Word files on it.  Users open these file from a share and save the files back to the same location (typical file share behavior) using Office 2007, 2010 or 2013.  The problem is that when Sophos On-access scanning is enabled, it creates new <randomname>.tmp files in the share every time the file is saved.  I can reproduce this on demand by turning the on-access scanning on or off.

We started a support case (Ticket #6660170), but unfortunately we always get sent to the lowest level support and have had many many problems trying to get through to experienced engineers who understand the software whenever we need assistance.  Eventually, we gave up on the case and used a workaround of excluding *.tmp files from on-access scanning.  Not ideal, but better than filling our file server with useless files.

Anyone else encounter this and if so, any luck on a better solution?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Do you have: Access-based Enumeration configured on the shares by chance?  Does it changing anything to enable/disable?
    https://technet.microsoft.com/en-gb/library/dd772681%28v=ws.10%29.aspx

    Also, you say you exclude the temp files. Is this exclusion set in SAV on the server or the client?

    Do you see an "Access Denied" result if you monitor this operation on the server/client with Process Monitor - technet.microsoft.com/.../processmonitor.aspx

    E.g. If you run Process Monitor on the client and server while reproducing the problem.  On the client I'd expect the Office process (e.g. Excel.exe) to be doing the work, on the file server, the System process.  Note that the system process is excluded in the default filter so you want to add that back in.

    The only other thing that might be worth capturing is a network capture (Wireshark) and filter for:
    smb or smb2

    You should see the operation on the file as another perspective to see what's going on.  Between the PML log on the client, server and the network capture that should be all that is required to understand what is happening.

    Regards,

    Jak

  • 0 in reply to jak

    We have Access-based Enumeration enabled on one of the shares and off on the others, but they all showed the same issue with TMP files.

    We excluded the TMP files on the client computers - we do not currently have any AV on the server itself.

    Regarding the tests you are requesting - I have no problem providing logs and trying various solutions, but Sophos should have a lab environment that they can test and troubleshoot this type of scenario for the customer.  We are paying for a product/service and should not be expected to do Sophos' work for them.

Reply
  • 0 in reply to jak

    We have Access-based Enumeration enabled on one of the shares and off on the others, but they all showed the same issue with TMP files.

    We excluded the TMP files on the client computers - we do not currently have any AV on the server itself.

    Regarding the tests you are requesting - I have no problem providing logs and trying various solutions, but Sophos should have a lab environment that they can test and troubleshoot this type of scenario for the customer.  We are paying for a product/service and should not be expected to do Sophos' work for them.

Children
No Data
Unfiltered HTML