"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
You can use the command line tools ExportConfig.exe and ConfigCID.exe to suppress Sophos Anti-Virus driver errors from being listed in the Windows Event Log on your client computers.
An example driver error would be seen when the Source is 'SAVOnAccess'.
Note: The errors will still appear in the SAV.txt log file.
Identify the Event ID for the error code
Check the client computer's Event Log for the Sophos Anti-Virus Event ID error you wish to suppress.
Export the configuration file
Use ExportConfig.exe to export your current Sophos Anti-Virus configuration to the file savconf.xml.
Edit the configuration file
Find your savconf.xml file in your Central Installation Directory (CID).
Open the file savconf.xml in Notepad++ or an XML editor.
In the Format menu, disable 'Word Wrap'.
Scroll down to the bottom of the file. Just above the tag '</config>', copy and paste the following text, changing the Event ID code as required. Do not insert line breaks. In this example, we use Event ID 63.
<inst:install xmlns:inst="http://www.sophos.com/SAVXP/SavInstallConfiguration" xmlns="http://www.sophos.com/SAVXP/SavInstallConfiguration"> <onAccess> <suppressErrors> <item>63</item> </suppressErrors> </onAccess> </inst:install>
Save the savconf.xml file.
Implement the changes
Use ConfigCID.exe to implement the changes you have made.
To reverse the changes, update the copy of the file savconf.xml in your CID by deleting the error code entries that you added, but leave the outer tags:
Then re-run ConfigCID.exe. The customization will be removed the next time Sophos Anti-Virus updates.
Further information If you want to exclude multiple Event IDs, use the following XML format:
<suppressErrors> <item>1</item> <item>2</item> </suppressErrors>
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.