Reg: Scheduled Scan Status not Reflecting in Enterprise Console.

Hello Guys,

 

We are facing a strange issue in our environment where in we have several Servers (OS - Windows 2008 - 2016) and workstations (Windows 10) with Sophos is intalled.

The Machines are reporting to their respective consoles and are up to date. All policies are pushed and we do not have any errors on updating. However, there is an issue with the Scheduled Scan Status that we see in the console.

 

Weekly/Monthly Scheduled scans have completed successfully on the machines. This can be seen when we open the GUI on the server from the task bar.

However, the console does not seem to capture this for some reason. It shows an older date and says Scan has failed. Could some one please let me know what needs to be checked for this issue.

 

I am sure there is no issue with the policies, because there are several other machines using the same policies and do not face this issue.

Any help would be much appreciated. Multiple cases with vendor did not yeild and positive results. Hoping to find a solution here.

 

Regards,

Ganu

  • Hello Ganu,

    BTW: Weekly is the longest interval for a schedule, there are no monthly schedules, are there?

    an older date and says Scan has failed
    unlike updating where a successful update clears previous errors scanning errors have to be acknowledged using Resolve alerts and errors .... That a subsequent scan succeeds doesn't indicate that a previous error can be disregarded. SEC doesn't keep track of the scans and their respective settings and furthermore scan names are only unique per policy, not globally.

    Christian

  • In reply to QC:

    Hey QC,

     

    Thank you for the response. Yes, its is Weekly Scans. Apologies.

    I do not see any Scan related errors or alerts for the machines in the console.

    When I check the Task Scheduler on the machines, I see its ran to success with no errors. However, the console shows an old date.

    Attaching screen-shots from Server and Console for your reference.

     

    1. Task Scheduler on server:

     

    2. Console:

     

    Regards,

    Ganu

  • In reply to Ganu:

    Hello Ganu,

    potential errors are further down in the computer details or under Resolve alerts and errors.

    Scan start and end of a scan are recorded in the local SAV.txt log (%ProgramData%\Sophos\Sophos Anti-Virus\logs\) and the log from the last scheduled scan is also there. These should give a hint why SEC doesn't consider the scan completed.

    Christian

  • In reply to QC:

    Hello QC,

    As per your inputs, I had a look at both the files. Looks like several files have timed out during scanning. Also, there is one Interface error 0xa0040212 atating its encrypted.

    Are these password protected files? Or should I be looking for adding exclutions? Please advise.

    Logs for your reference ::

    Weekly Schedule Scan Log:

    20200408 030006 Scan 'Weekly scheduled scan' started.
    20200408 031904 Scanning "C:\$Recycle.Bin\S-1-5-21-1875786491-1587546045-623647154-72418\$R0P3YUO.xlsx" returned SAV Interface error 0xa0040212: The file is encrypted.

     

    SAV Log:

    20200401 012201 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414352 items.
    20200401 030006 Scan 'Weekly scheduled scan' started.
    20200401 031743 Rootkit scan incomplete due to timeout.
    20200401 032148 Scanning "C:\$Recycle.Bin\S-1-5-21-1875786491-1587546045-623647154-72418\$R0P3YUO.xlsx" returned SAV Interface error 0xa0040212: The file is encrypted.
    20200401 084842
    The on-access scan of file "\Device\HarddiskVolumeShadowCopy264\Windows\winsxs\Backup\amd ..." of process ?, start check timestamp [ 1d60800ff38111d] did not complete in time: file was not scanned.

    20200401 084842
    Scan failure (start check timestamp [ 1d60800ff38111d]) filename continues: "...64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.3.9600.17630_en"

    20200401 084842
    Scan failure (start check timestamp [ 1d60800ff38111d]) filename continues: "...-us_b224f90444b8562b_gpapi.dll.mui_ef0a9748"

    20200401 085445
    File [...ddiskVolume2\Program Files (x86)\HitmanPro.Alert\hmpalert.exe]'s scan succeeded following a timeout/busy condition - it is being logged in case it contributed to that condition. Process ?, (start check timestamp [ 1d6080331177193]).

    20200401 085445
    File [...d364e35_6.3.9600.19567_none_9aa9d8ad2e6abf14_lpk.dll_ebdc1de9]'s scan succeeded following a timeout/busy condition - it is being logged in case it contributed to that condition. Process ?, (start check timestamp [ 1d608025b536adf]).

    20200401 085446
    File [...h\grouph.jde.MediaInsertion\GroupH.JDE.MediaInsertion.App.exe]'s scan succeeded following a timeout/busy condition - it is being logged in case it contributed to that condition. Process ?, (start check timestamp [ 1d6080331979047]).

    20200401 085446
    File [...x86)\grouph\grouph.jde.Honoraria\grouph.jde.honoraria.app.exe]'s scan succeeded following a timeout/busy condition - it is being logged in case it contributed to that condition. Process ?, (start check timestamp [ 1d60803319c4f04]).

    20200401 085446
    File [....JDE.EmployeeImport\GroupH.JDE.EmployeeImport.Staging.App.exe]'s scan succeeded following a timeout/busy condition - it is being logged in case it contributed to that condition. Process ?, (start check timestamp [ 1d6080331a10dce]).

    20200401 085446
    File [...\Device\HarddiskVolume2\Windows\system32\adtschema.dll]'s scan succeeded following a timeout/busy condition - it is being logged in case it contributed to that condition. Process ?, (start check timestamp [ 1d60803311e8f67]).

    20200401 085446
    File [...rouph\grouph.filedistribution\grouph.filedistribution.app.exe]'s scan succeeded following a timeout/busy condition - it is being logged in case it contributed to that condition. Process ?, (start check timestamp [ 1d6080331c4a4b9]).

    20200401 085446
    File [...Volume2\Windows\system32\Microsoft\Protect\S-1-5-18\Preferred]'s scan succeeded following a timeout/busy condition - it is being logged in case it contributed to that condition. Process ?, (start check timestamp [ 1d6080331ce226d]).

    20200401 085446
    File [...eca4384200d5dc80fae77e0a_60328f25-a519-4eb4-bf33-649ec691d826]'s scan succeeded following a timeout/busy condition - it is being logged in case it contributed to that condition. Process ?, (start check timestamp [ 1d6080331d081b8]).

    20200401 085446
    File [...\Device\HarddiskVolume2\Windows\SysWOW64\fltlib.dll]'s scan succeeded following a timeout/busy condition - it is being logged in case it contributed to that condition. Process ?, (start check timestamp [ 1d6080331849546]).

    20200401 090158 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414394 items.
    20200401 090159 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
    20200401 090203 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414394 items.
    20200401 142431 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414468 items.
    20200401 211946 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414523 items.
    20200402 023249 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414566 items.
    20200402 082705 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414606 items.
    20200402 151911 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414643 items.
    20200402 211738 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414719 items.
    20200403 032041 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414775 items.
    20200403 073035 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414803 items.
    20200403 142200 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414814 items.
    20200403 202123 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414844 items.
    20200404 025302 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414880 items.
    20200404 025302 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
    20200404 025306 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414880 items.
    20200404 082628 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414893 items.
    20200404 124640 Scanning "C:\$Recycle.Bin\S-1-5-21-1875786491-1587546045-623647154-72418\$R0P3YUO.xlsx" returned SAV Interface error 0xa0040212: The file is encrypted.
    20200404 142358 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414898 items.
    20200404 202226 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414908 items.
    20200405 022222 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414911 items.
    20200405 082647 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414912 items.
    20200405 142208 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414915 items.
    20200405 222052 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414925 items.
    20200406 051159 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49414925 items.
    20200406 051208 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
    20200406 152218 Scanning "\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy248\$Recycle.Bin\S-1-5-21-1875786491-1587546045-623647154-72418\$R0P3YUO.xlsx" returned SAV Interface error 0xa0040212: The file is encrypted.
    20200406 185139 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49415016 items.
    20200407 004936 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49415082 items.
    20200407 055815 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49415118 items.
    20200407 115005 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49415156 items.
    20200407 133558 Scanning "\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy250\$Recycle.Bin\S-1-5-21-1875786491-1587546045-623647154-72418\$R0P3YUO.xlsx" returned SAV Interface error 0xa0040212: The file is encrypted.
    20200407 175153 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49415222 items.
    20200407 234920 Using detection data version 5.74 (detection engine 3.77.1). This version can detect 49415263 items.
    20200408 030006 Scan 'Weekly scheduled scan' started.
    20200408 031904 Scanning "C:\$Recycle.Bin\S-1-5-21-1875786491-1587546045-623647154-72418\$R0P3YUO.xlsx" returned SAV Interface error 0xa0040212: The file is encrypted.

     

    Regards,

    Ganu

  • In reply to Ganu:

    Hello Ganu,

    looks like at least the last two Weekly scans have not completed. File is encrypted is normally no issue, it just states the fact.
    The timeouts aren't normal though. There is IMO no simple solution and this requires deeper inspection. You should open a case with Support.

    Christian

  • In reply to QC:

    Hello QC,

     

    Thank you for the inputs. I will log a case again. Will keep you posted.

    Regards,

    Ganu.