Live Protection is a technology that allows live look-ups (via SXL) to obtain the latest threat information from SophosLabs (cloud based look-ups), without waiting for the product to be updated. It also provides a platform to upload samples that SophosLabs deem interesting and worth investigating further. Both these features can be enabled or disabled depending on the environment and local policies, although sending file samples is available only if live look-ups are enabled.
This article explains how to check if endpoints are submitting files to Sophos following a cloud detection (Web Protection look-up).
Applies to the following Sophos product(s) and version(s)
Sophos Endpoint Security and Control
What To Do
If a file is submitted, what will you see in SAV.TXT?
An entry is added to SAV log whenever a file is attempted to be uploaded to Sophos and the entry includes the name of the file and the result of the operation, for instance:
20100720 183814 File "C:\Documents and Settings\Administrator\Desktop\sxl_test_50.com" belongs to virus/spyware 'LiveProtectTest'.
20100720 183818 File sample was successfully sent for Sophos Live Protection:
File: 'C:\Documents and Settings\Administrator\Desktop\sxl_test_50.com'
Is it possible to check what SXL queries are being generated?
Advanced SAVI logging shows verbosely all SXL queries and responses, the output is likely to be low level and really only required in edge cases involving GES/Engineering.
- Create the following values:
HKLM\Software\Sophos\SAVILOGGING\FILEString value: Set to
String value: Set to 3 for logging SXL queries
- Restart SAVservice
Logs will be in
c:\windows\temp\savi_<pid>_<id>.log and rotate after 20,000 lines