Hello, we have created global exclusions based on our vendors instructions for real time scanning of our infrastructure applications that we feel are safe. Now we want to create exclusions for applications/processes/files that we feel are safe on specific endpoint devices to reduce load on the devices. Are there ream time scanning logs on each system that show what files are being scanned the most? If you don't keep that level of detail what is the best way to get this information remotely from the devices? Thanks.
You can enable logging of the Sophos File Scanner with a reg value.The logs are verbose and you'd have to process them, i.e. the scan request/responses.
HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Sophos File Scanner\Application
DWORD LogLevel 4
Disable Tamper to se.
Restart Sophos File Scanner service.
C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log
Might provide some information you are looking for.