Hi All,
I have an issue where Sophos is causing recalls on an archived file system. Files are backed up and replaced with stubs (reparse points). Usually we do the following to stop this behaviour:
1. Change on-access scanning to On Write only
2. Disable sophos from having recall privs (disable sav*.exe processes etc)
Too add more complexity into the mix, we have a program called ExtremeZ-IP which allows MAC's to recall files on a windows file system. When a mac accesses the file share, it is done so via ExtremeZ-IP. File access is esentially proxied via the ExtremeZ-IP software.
The problem is, sophos is entirely interfearing with this process. When a MAC browses to a file, all files in that folder are recalled via ExtremeZ-IP. Looking at process monitor, we can see Sophos is involved in the stack, causing ExtremeZ-IP to recall. When Sophos is disabled at the service level - this does not occur, and eventhing works as per normal.
So we have a couple of problems.
1. Sophos is masqerading as ExtremeZ-IP, therefor we cannot stop it from recalling files by blocking the sophos executables.
2. Even when disabling on-access scanning, web scanning and behaviour monitoring and rebooting, Sophos is still 'active' and causes ExtremeZ-IP to recall files. When looking via process monitor, we can see that SAVONACCESS.sys is in the stack. If on access scanning is disabled, it still actually scans files?
Two potential fixes.
1. Can we stop Sophos from scanning the ExtremeZ-IP process. We do not want Sophos to interact with this process or the files it touches in any way.
2. Can we stop Sophos from traversing reparse points, this will also stop the recall.
Any suggestion appreciated.
This thread was automatically locked due to age.