This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

scan error on non existent folder C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data

The below was returned from our scheduled scan (config via the Enterprise Console):

User: NT AUTHORITY\SYSTEM
Scan: New scheduled scan
Machine: <hostname>

Scanning "C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Rules\LOCK" returned SAV Interface error 0xa0040202: Scan failed.

Scanning "C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension State\LOCK" returned SAV Interface error 0xa0040202: Scan failed.

Scanning "C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Session Storage\LOCK" returned SAV Interface error 0xa0040202: Scan failed.

The above folder clearly does not exist! "C:\Documents and Settings\User\" so why is Sophos trying to scan it?? How do I tell it to not bother scanning it!!!

I have requested assistant from Sophos technical support via email. However they are less than useful (to be polite) and is giving me the run around and doesn't even appear to be even reading the info I sent to them.

I'm hoping someone on here can help me with this.

Thank You.



This thread was automatically locked due to age.
Parents
  • Hi QC,

    OS is Windows 7. I would have expected it to scan at "C:\Users\<actual username goes here>\AppData"

    I tried to look up the exact file / folder which it claims unable to scan. NO such folder / file exist on any of the client hosts.

    This is happening on all client with Google Chrome installed. I would prefer not to have to manually exclude folders due to side affects (not scanning other folders it should be).
  • Hello WoodsIT,

    NO such folder / file exist
    no and yes - these non-existent folders are junction points which enable programs to access the Vista+ structure using the legacy paths. Actually if you paste an "old" path in Explorer (e.g. C:\Documents and Settings\All Users\Application Data\Sophos) it should open the (corresponding) location.
    Normally you don't see that an on-demand scan also follows the junction points, and as said this should not cause the scanning errors. on all client with Google Chrome installed - indeed whether Chrome is running or not? Are there any details in the Windows Event Log? On second thoughts, an existing lock on the file might not be the cause either - I've checked a number of logs, no error of this kind at all even though on some endpoints Chrome was likely running at the time of the scan.

    [Edit] Sorry for being dense - it just occurred to me that you get these scanning errors as email alerts, I don't use them. Not sure whether you can centrally suppress this error code and whether it is generally safe to suppress it. [/Edit]

    Christian

Reply
  • Hello WoodsIT,

    NO such folder / file exist
    no and yes - these non-existent folders are junction points which enable programs to access the Vista+ structure using the legacy paths. Actually if you paste an "old" path in Explorer (e.g. C:\Documents and Settings\All Users\Application Data\Sophos) it should open the (corresponding) location.
    Normally you don't see that an on-demand scan also follows the junction points, and as said this should not cause the scanning errors. on all client with Google Chrome installed - indeed whether Chrome is running or not? Are there any details in the Windows Event Log? On second thoughts, an existing lock on the file might not be the cause either - I've checked a number of logs, no error of this kind at all even though on some endpoints Chrome was likely running at the time of the scan.

    [Edit] Sorry for being dense - it just occurred to me that you get these scanning errors as email alerts, I don't use them. Not sure whether you can centrally suppress this error code and whether it is generally safe to suppress it. [/Edit]

    Christian

Children
  • Hi QC,

    Thank you again for your reply.

    "C:\Documents and Settings\All Users\Application Data\Sophos" is a real folder and exist that I know. But why is it trying to scan some junction point that does not exist (if it does I can't find or access it!).

    The idea with email alert goes to our ticketing system so that it can be dealt with asap. I don't know of a way to suppress the error.

    These scan happens in the middle of the night whilst the machine sits idle. Chrome would probably be open as our users never log out of their workstations.

    I will take a look at the even log.

    Interestingly Sophos support hasn't bother getting back to me regarding this issue. Why are we paying for Sophos / support again? The last response from Sophos support instructed us to submit (this non existent) file to the virus checker website. This forum has been more helpful!
  • Hello WoodsIT,

    support hasn't bother getting back to me
    sometimes you have to be insistent, I'm heading a small support group and I know that first level is caught between a rock (requester) and a hard place (second level and management). Don't expect that first level has an in-depth knowledge of all aspects of every product - that's not their job. OTOH must not pass an issue on to second level just because it's obscure.

    [we should] submit (this non existent) file
    I'm pretty sure this file does exist (complex paths work on the local machine only anyway) but submitting it is moot as it's zero-size. Strange that the scanner throws an error - if the Event log does not have details a scanner trace might or might not reveal the cause - you'd need assistance from Support for this (and anyway even if the cause is found this doesn't guarantee that the error can be corrected or avoided). Speaking of errors - there are other common ones, password protected files for example. Seems that's not a problem for you, or is it?
    As for suppressing email notification for certain errors - perhaps possible but not without help from Support (and then, it's not actually a defect and perhaps not covered by basic support).

    Christian
     

  • When we first purchase our Sophos license the pitch is we always get to speak to someone that knows the product well and could give us an answer right there most of the time (and I did experience this myself). It appears as time goes by this is no longer the case...
  • Hello WoodsIT,

    as time goes by your questions get smarter :-)

    The perhaps not covered by basic support is just an assumption. [K]now[ing] the product well does not necessarily mean being familiar with all finicky details, ... but I digress. I'd insist on an explanation for or investigation of this scan failed (personally I'd test the when LOCK is locked hypothesis). Excluding files named LOCK from scheduled scans shouldn't be much of an additional risk. In addition you can (probably - see Remark) make the exclusions more specific: Extension Rules\LOCK (note no leading \) is a valid file exclusion (be warned that it will also match  More Extension Rules\LOCK).
     Remark I have checked that you can use this format in the on-access and on-demand exclusions both with SEC and the local GUI, I've tested the outcome with On-Access only though.

    Hope this is of use
    Christian

  • Thanks again for your reply.

    I'm actually trying to add those specific folder as Folder exclusion (I'm adding it to the On Access Scanning as it is the only spot I can add exclusion). I will try adding them as File exclusion as well.

    Surprisingly still no response from Sophos support on this issue! I'm not expecting a done and dusted answer, however at least "were are looking into it" would be nice then silent. On the other hand I've sent other queries to Sophos support on non AV product and had very good replies / level of support. Maybe I hit the jackpot with this particular issue. I would expect the support staff to seek help or escalate to higher up if this he / she could not assist with the issue further.
  • Hello WoodsIT,

    Folder exclusion [...] to the On Access Scanning
    I advise against such Folder exclusions for On-Access (you should avoid On-Access exclusions for workstations anyway).
    the only spot - SEC's policy editor is not really as intuitive as one might wish, the spot you're looking for is here:

    Note that it really applies to all On-Demand scans On the endpoint it's on the Configure Anti-Virus and HIPS page:

    I would expect the support staff to seek help or escalate to higher up
    I agree - and that's what I expect from my team members as well, in practice it's not that simple. You're required to choose the correct higher-up (bell ringing various groups is often a no-go). A hypothetical example: The cheat-sheet tells you the Endpoint Messaging group demands that you escalate "unusual" scanning errors to the Engine/Scanner group for resolution, E/S though accepts the case only when the customer has submitted a sample. Neither group wants to accept it as their responsibility to devise a further troubleshooting procedure. At this point it's no longer a customer problem only but an internal problem as well. Ideally there's a body which resolves such conflicts. But often the problem is passed back to first level with the request to think of something. ... not to exonerate Support though. 

    BTW: do you know SophServ?

    Christian

  • Hi QC,

    Thank you again for your reply. I've been busy with other things so haven't check back on this thread until now.

    Only when you pointed out that I notice "Exclusion & Extension" being there! I will try adding to that instead as the other spot didn't help.

    As you said from a customer perspective all I see is I get no communication / answer of what is happening next.

    I did end up getting a reply eventually that sophos help desk is requesting further info from Sophos Lab & Google. That was 2 weeks ago. They also suggest adding to exclusion list.

    I didn't know about SophServ until you mention it

    For others info on SophServ https://www.sophos.com/en-us/support/knowledgebase/119696.aspx