Sophos Central Endpoint is blocking Sharepoint folder downloads..

We have a few users that download map template folders for their ESRI programs from a sharepoint site that they share.

Recently, the download has stopped working when they select the two folders they need to download.

They can go down into the folders and select individual files and download them, but not the folders (which worked before).

When they select the two folders and click on the Download icon, nothing happens.  There are no warnings and no error messages.

After working with one individual for a while, I narrowed it down to Sophos Endpoint client blocking the download when Real Time Scanning of the Internet is turned on.

If I override the Sophos Central Policy and disable it, the download is immediately successful.  When it's turned back on, the download stops working again.

Nothing is showing up blocked in Sophos Central reports for the system or user I was testing with.

How do I trace down what is happening? 

The logging and reporting in Sophos Central does not show detailed web activity for devices, which is disappointing.



Added TAGs
[edited by: Qoosh at 7:21 AM (GMT -7) on 17 Jun 2022]
Parents Reply Children
  • These settings are present in Sophos Central when browsing the Threat Protection Policy.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • When you say "Verbose" logging through the Sophos Endpoint Self Help tool do you mean "Debug" logging?  There isn't a "Verbose" option in the Sophos Endpoint Self Help tool logging settings.  I see Debug, Info, Warning, Error, Always and Off as options.

    The Sophos link for using the self help tool does not really state what the different logging options mean, or what will show in the logs when each are turned on.

    The logs I've downloaded so far from the endpoint I'm testing with does not show anything being blocked so far during my testing, even though the download is failing with real-time internet scanning turned on on the endpoint.

    Are there any guides on how to read the logs once they are downloaded? 

    I've searched the log files for anything that states "Blocked", "Denied" or other similar phrases and so far nothing is showing.

    I really don't want to disable settings in Sophos Central itself as that could open us up agency wide to malicious web traffic and files.

    I appreciate the help and information so far.

  • Of the verbosity options, "Debug"  will have the most information. If the term"blocked"  isn’t returning any matches this means that the web traffic is not explicitly being blocked as malicious, but this could indicate that there’s a conflict elsewhere.

    Thanks for the feedback on the logging. We do not have guides for this yet.

    To troubleshoot further, I recommend creating a new Threat Protection Policy in Sophos Central to apply to one device so that we can narrow down the scanning components involved. Beyond this you may want to open a support case with our team to take things further, as it does sound like there’s a conflict between Sharepoint and Sophos.

    I also recommend checking the drivers that are loaded on your device while the issue is present, to ensure nothing else is trying to interact with the files while Sophos attempts to scan them. This can be done using the following command. 
    - fltmc

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids