Sophos scanning network locations

Upon further investigation it looks to be most likely offline folders.

After further testing our home drives are located in \\<servername>\users\<username> but it seems sophos scans the parent directory (\\<server name>\Users) which is where Quest flags up the access denied errors, Sophos suggests excluding remote files from on-access scanning but that suggests to me that when a user opens a file on the file server it won't get scanned, this a new issue for us as symantec never did this.

Any ideas greatly appreciated

Have you tried setting your antivirus policy to disable remote scanning?

Thank you for the reply.

That is what sophos suggested but i'm concerned that disabling that will mean that if a user opens a document from the file server it won't be scanned locally, granted the file server is protected but I prefer the extra layer of protection, unless i'm understanding it wrong.

Hello BUKtrj,

I'm still trying to figure out what exactly constitutes the issue. On-Access, as its name implies, scans (only) those files that are accessed. If I understand correctly you see accesses on the fileserver when Sophos is installed on the endpoint which you otherwise don't see.

You've already tried excluding the cache (CSC) folder which didn't make a difference. As you are in a testing phase I'd suggest that you turn off on-access scanning - if there is a significant change then it's indeed on-access. Do you have any details from Quest what this extra activity actually is? Sysinternal's Process Monitor can show the file system activity on and might help to determine what savservice is doing for the offline files.

Christian 

Hello Christian and thank you for your response,

I'll try to explain it as best i can so bear with me ;).

Laptop A has had sophos deployed to it which replaced symantec which worked a dream.

Laptop A has the following set as an offline folder, \\server\users folder\UserA.

Since sophos was install our quest logs are filling with access denied reports as it tries to scan ALL folders in \\server\users folder\

So report looks a little like this:-

UserA access denied to folder UserB

UserA access denied to folder UserC

UserA access denied to folder UserD

UserA access denied to folder UserE

ect

Turning off sophos on Laptop A causes this to stop, at first i thought it was part of the daily scan we set but it starts the moment the machine connects to the domain.

My concern about excluding remote files from the on-access scan is that LaptopA tries to open file1 from server and because it is a remote file it won't scan unless it scans content when the local temp file is created?

Hope this helps.

Cheers

Hello BUKtrj,

as it tries to scan ALL folders

as said, it does only scan only files that are accessed and shouldn't attempt to scan objects on its own (and even less try to access parent and/or sibling folders).

concern about excluding remote files

while scan on write will scan a copy to local  (assuming it is created) it won't block the remote file (dunno how offline folders work under the bonnet, I wouldn't bet the sequence is always copy/cache -> open locally). This should be a last-resort temporary measure at best until the issue is solved.

UserA access denied to folder UserB

When on-access intercepts an open the path it sees might not be the one used by the application accessing the file. Process Monitor should give some insight here (include the savservice.exe process and the File System event class) - BTW, can you reproduce it on Windows 7?

Christian