"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
The following error is reported to the Enterprise Console:
The on-access driver failed to perform a user action on file \Device\Harddisk ...[full path to file] [0xe03d0037]
The error is also reported to the System event log and the SAV.txt on the endpoint computer and may appear as e03d0037.
This error indicates that Sophos Anti-Virus has detected malware but is unable to access the file in order to perform the usual actions of cleanup, remove or delete.
One of the reasons for this might be that the file has already been deleted. One common example is where the file was detected by the on-access scanner as it was being extracted from a zip file or application, to a temporary location and the write to disk action was blocked, and hence the file mentioned in the detection, and reported to the console, doesn't exist.
First seen in Sophos Endpoint Security and Control
Check the path reported for the file and see if the path points to a temporary location (e.g., '...\Device\HarddiskVolume1\Users\[username]\AppData\Local\Temp\...') or maybe to an email attachment stored locally while the email application is accessing it (e.g., '....\Users\[username]\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\...').
If so, then it is likely the file was blocked by the on-access scanner when attempting to be written to disk and hence there is no file to cleanup. In this situation running a further scan of the computer will not result in any further ability to clean up the file. You can therefore acknowledge or clear the alert. If further alerts appear for that computer: check the username mentioned in the path to the temporary folder and confirm with them if they are attempting to access a compressed file, or email attachment, etc.
The on-access scanner will protect the computer against further attempts to open the malicious file. If you are in any doubt run a full system scan of the computer and see if any malware is detected. Be aware that mailboxes are not scanned - because of the complexity and structure of the file - and so a subsequence scan may not report the original file if an attachment.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.