Users receive "The file is being scanned for sensitive material. Please Wait"

Hi,

I had a quick look into this with Process Monitor.  Almon.exe presents this dialog, so with that being filtered I found a query for:

HKLM\SOFTWARE\Sophos\SAVService\DataControl\SplashScreen

But it came up as not found, so I created the above key.

This then revealed the following:

You maybe want to try those in your testing.  I suspect setting WindowDisplayLength DWORD 0 might do it but haven't really performed any serious testing.

I hope this turns out to be useful.  The only downside to trying to turn this off is that if it takes longer than a few seconds to scan the file, the user may think the window has hung without some indication something is happening.  If that is a concern, maybe WindowStart could be used to control how much time passes scanning before it gives the progress.

The values seem to be in 10th of a second. I.e. 20 = 2 seconds

Cheers,

Jak

Hello kesm0724,

funny you mention it because I've seen this splash two days ago. Didn't find anything in the logs.

I don't have Outlook - so it also happens for other applications. Could have been when I started Firefox (I have one rule set for monitoring browser uploads). Similar rules are in place for about 100 clients in our domain and there Outlook is used. Either this screen doesn't pop up or our users just ignore it without asking or complaining :smileywink:.

But perhaps John Stringer could tell us more about it - what causes it to appear, how it can be suppressed and whether it'd be a good idea to do so or not.  

Christian

I appreciate the replies (Jak / Christian) - helpdesk has only notified me about a few users regarding this I'm not too concerned about it.  What I am concerned about it that apparently it is doing some sort of scan on the Outlook .ost / .pst even though Data Control is set to just monitor file transfers to certain applications - Outlook being one of them.  I wasn't sure if there is a some sort of known issue. 

Helpdesk basically stated that while this message is displayed Outlook took approximately 20 minutes to load-up - uhhh yeah 20 minutes - after the tech ran "maintenance" (i'm assuming usual defrag junk, cleared temp files, etc) that the startup of the app was cutdown to a few minutes - I'm not so sure that something else is going on with the machine.  The other user I heard of this message constantly popping up on their desktop said that it was slowing the whole machine down.  I wonder is there a way to up the logging to debug for that particuliar module?

Hi,

The dialog will appear when SAV is scanning a file for data control which takes beyond a few seconds.   Rather than hanging the window, this dialog is used to provide some feedback to the user something is happening.  

As an example say I block Excel files from being uploaded to the web via Firefox, if the file in question is a large Excel spreadsheet, say 50MB and I have a complex data control rule, the engine will have to extract all the strings within the document once and then run them by the rules, this is the only way it can work to ensure nothing is missed.  This text extraction phase would have to be dependant on the size and complexity of the file so it's largely an unknown.  The rule matching phase would be dependant on the number of rules also, so both of these are variable.

So with Firefox being the "destination" in this case (which is detected to be Firefox using the engine (using application control rules)) If the Excel file is not from an excluded location on disk, as it is loaded by Firefox.exe it is scanned and Firefox is essentially halted from reading the file until SAV is done with it.  Different applications will behave differently when potentially being denied a file in this way, so might hang the GUI thread in some cases I would expect, so a top most window indicating to the user something is happening is a compromise to a non responding application window in some cases.

So any time the "The file is being scanned for sensitive material.  Please Wait" message appears, the file being opened by the applications executable, be it firefox.exe, iexplore.exe,outlook.exe, etc.. must have opened it and the rules specified are interested in it. So running Process Monitor filtered on the destination application of choice, e.g. Firefox.exe and objects of the file class, you should see the files Firefox.exe is opening, if these are from a non excluded location (I believe there are a few hard coded exclusions) and are file types of interest based on your rules they will be scanned by the data control component. If it makes sense you can then optionally decide to exclude some of these file paths for the rules if this would help or change the rules, especially custom control control ones to be less broad.

I would also suggest turning the logging in SAV for the DataControl component to Verbose, this will then log more about the rules being fired.

I hope this helps.

Thanks,

Jak 

Hi,

Could anyone experiencing this issue raise a support call. Also could you enable the Data Control verbose logging on any endpoints experiencing the issue and send the log into Sophos?

Thanks,

John Stringer

Product Manager

Under "Select Files to Exclude" within the data control policy I excluded .pst and .ost files.  I had the user who received the message each time when opening Outlook to try opening outlook and she doesn't receive the message anymore.  Hopefully this isn't a fluke and this resolves the issue permanently for her.

John - If the issue persists I will log a ticket with support but since I have standard support and remote desktop support isn't included in "standard" support it is often quicker to just figure the issue out without exchanging a ton of emails.