We have a few users that download map template folders for their ESRI programs from a sharepoint site that they share.
Recently, the download has stopped working when they select the two folders they need to download.
They can go down into the folders and select individual files and download them, but not the folders (which worked before).
When they select the two folders and click on the Download icon, nothing happens. There are no warnings and no error messages.
After working with one individual for a while, I narrowed it down to Sophos Endpoint client blocking the download when Real Time Scanning of the Internet is turned on.
If I override the Sophos Central Policy and disable it, the download is immediately successful. When it's turned back on, the download stops working again.
Nothing is showing up blocked in Sophos Central reports for the system or user I was testing with.
How do I trace down what is happening?
The logging and reporting in Sophos Central does not show detailed web activity for devices, which is disappointing.
Thanks for reaching out to the Sophos Community Forum.
As an initial step, I recommend ensuring the folders referenced in the following Microsoft documentation have been white-listed. - Certain folders may have to be excluded from antivirus scanning when you use a file-level antivirus program in SharePoint
More detailed logging information for web-related events can be found in "C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs". You can also enable Verbose Logging in a few clicks using the Product Logging section of the Sophos Endpoint Self Help tool if you require more information.
I suggest toggling the following 3 options to see if one specifically contributes to the issues you're experiencing.
Do you know if this issue is browser-specific?
It is not browser specific. When real time scanning is on, one of the browsers will initiate the download.
I will look at the articles you linked to and will see if that helps identify the issue.
We do not have a Sharepoint server running on-prem so the folder exclusions won't help. The issue is purely on the endpoint side and not the server side.
I do not see the three real-time scanning options you listed on the endpoint software...
These settings are present in Sophos Central when browsing the Threat Protection Policy.
When you say "Verbose" logging through the Sophos Endpoint Self Help tool do you mean "Debug" logging? There isn't a "Verbose" option in the Sophos Endpoint Self Help tool logging settings. I see Debug, Info, Warning, Error, Always and Off as options.
The Sophos link for using the self help tool does not really state what the different logging options mean, or what will show in the logs when each are turned on.
The logs I've downloaded so far from the endpoint I'm testing with does not show anything being blocked so far during my testing, even though the download is failing with real-time internet scanning turned on on the endpoint.
Are there any guides on how to read the logs once they are downloaded?
I've searched the log files for anything that states "Blocked", "Denied" or other similar phrases and so far nothing is showing.
I really don't want to disable settings in Sophos Central itself as that could open us up agency wide to malicious web traffic and files.
I appreciate the help and information so far.
Of the verbosity options, "Debug" will have the most information. If the term"blocked" isn’t returning any matches this means that the web traffic is not explicitly being blocked as malicious, but this could indicate that there’s a conflict elsewhere.
Thanks for the feedback on the logging. We do not have guides for this yet.
To troubleshoot further, I recommend creating a new Threat Protection Policy in Sophos Central to apply to one device so that we can narrow down the scanning components involved. Beyond this you may want to open a support case with our team to take things further, as it does sound like there’s a conflict between Sharepoint and Sophos.
I also recommend checking the drivers that are loaded on your device while the issue is present, to ensure nothing else is trying to interact with the files while Sophos attempts to scan them. This can be done using the following command. - fltmc