This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SAVON Access Event Error 70

I am getting multiple alarms from an endpoint with multiple alarms in event viewer, saying it failed to flush the cache when reading from file \ProgramData\xxxxxSoftwarexxxx

I configured policy to exclude that file for both real-time and scheduled.

Any ideas why it would be trying to access the file to flush the cache and how to make it stop?



This thread was automatically locked due to age.
  • Hello Chris Henning,

    first of all, why do you think you have to exclude this file from scanning? Is the file being blocked?
    Guess it's error 0xE03D0046, like other errors of this class it tells you that the scanning engine couldn't perform its work as intended. These errors should be rare and require investigation if they recur. I don't think the scanner is trying to access the file to flush the cache, AFAIK the message is Failed to flush the cache when reading from. I've never encountered it and can't say what it signifies. multiple alarms always the same file (BTW: what kind of file is this, xxxxxSoftwarexxxx doesn't tell much)? Every time the file is accessed?

    Christian

  • Hello Christian,

    I figured you would be the one responding.

    I excluded the folder from real-time scanning because Sophos always throws up a PUA alert on a few files; false positives. These have been reported to Sophos.

    So I exclude the folder, C:\ProgramData\GeoVision\Common

    GeoVision is a company that sells security cameras and associated software.  We use it on Dell computers to create an NVR.

    It isn't when we access the files that we see the alarms, and its 3 files that are .ini files that are listed in the alarms. When this event occurs we will get about 20 or so alarms.

    We have around 20 machine that are setup this way, only one is giving us this alarm. It occurred last on the November 29th at 9:42 AM and before that on the 15th at 3:01 AM.

    I will open a support ticket with Sophos.

  • Hello Chris Henning,

    false positive [PUAs]
    Generic PUA XX or specific? And the exclusions are set because of the (FP) PUA detections? Likely not a big risk but I wouldn't make exclusions to suppress unwanted detection that have otherwise no consequences. reported  - submitted samples indicating FP?

    only one is giving us this alarm
    as said, I've never encountered this error. Dunno why the scanner flushes what cache and why or how this might fail but it seems to be around the time of an IDE update. I'll let Support figure it out [;)]

    Christian