This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos (Endpoint) and “USB Safely Remove”.

I do experience difficulties removing my external USB HDD drives from my computer. Somehow Sophos gets in the way.

I use the software “USB Safely Remove”. When started, it tells me that the HDDs can’t be removed, because of two services that still access the drive. These services are both from Sophos: “SavService” and “svchost”.

I certainly put my external drives on Sophos’ exclusion list. Yet this had no impact on how Sophos handled the external HDDs. Thus, I am unable to remove them.

I would be very grateful if you could help me with this ... and explain to me what I am doing wrong here.

Markus

Endpoint Security and Control =  10.6

Sophos Anti-Virus 10.6.3.537

SavService.exe 10.6.3.537 , size 285136 bytes 

Microsoft Windows 8.1 Pro

 



This thread was automatically locked due to age.
Parents
  • Hello Markus,

    SavService.exe does not interfere with the Windows' standard Eject or Safely Remove. The screenshot unfortunately shows only processes (what about svchost.exe?) and not which files. Can't say what USB Safely Remove considers geöffnete Dateien - at least one of the svchost.exe processes and savservice.exe normally have a File handle on \Device\HarddiskVolumen but this does not prevent Windows from stopping the device.
    These services are both from Sophos
    no, svchost.exe is definitely not from Sophos, it's part of the OS - what makes you think it's from Sophos?

    There's no evidence (other than the claim from USB Safely Remove) that Somehow Sophos gets in the way and in addition there's svchost.exe. It's likely the software - either misconfigured or incorrectly assessing the situation.

    Christian

  • QC said:

    There's no evidence (other than the claim from USB Safely Remove) that Somehow Sophos gets in the way and in addition there's svchost.exe. It's likely the software - either misconfigured or incorrectly assessing the situation.

    I have to disagree :(. I have the same issue with USB Safely Remove and it is clearly said in the Windows event viewer (EventViewer -> Windows Logs -> System) that Sophos is the one that blocks removal of USB:

    The application \Device\HarddiskVolume2\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe with process id 3164 stopped the removal or ejection for the device USB\VID_1058&PID_10B8\5758453145323445534E3832.

     

    Sophos 10.6

    Windows 10

  • Hello M P,

    Sophos is the one
    indeed no other process indicated? SavService.exe treats these devices like any other volume in the file system, doesn't access them on its own, and normally doesn't hold a resource for an excessive amount of time. Furthermore if this were a general problem
    there'd be more reports, even when it's rare. Thus is suspect that something else is also involved.

    Christian 

  • Hello QC,

    I do have the same issue.. it occured only after installing SAV. However, not sure about that other process (see screenshot) - do you have any idea?

    Thanks and best regards,

    HZ

  • Hello HZ,

    according to the USB Safely Remove FAQs (under Technical questions) this is a known issue (with a unknown cause). Markus B eventually got rid of the problem but as the trigger seems to be a combination of several or many details it's likely not a general solution.
    Anyway it's safe to remove the device in this state.

    Christian

Reply
  • Hello HZ,

    according to the USB Safely Remove FAQs (under Technical questions) this is a known issue (with a unknown cause). Markus B eventually got rid of the problem but as the trigger seems to be a combination of several or many details it's likely not a general solution.
    Anyway it's safe to remove the device in this state.

    Christian

Children
No Data