Some encryption software hinders Sophos Anti-Virus detections

  • Article ID: 12790
  • Rating:
  • 7 customers rated this article 3.3 out of 6
  • Updated: 06 Mar 2014

Installing some types of encryption software can prevent the Sophos Anti-Virus on-access scanner from detecting viruses. This happens because data is passed to the Sophos on-access scanner before it is decrypted, and encrypted data cannot be accurately scanned.

The types of encryption software which could cause this problem are those which load as a filter driver. However, this type of software is not normally installed as standard on a Windows computer.

Before you carry out this procedure, run the Sophos test program savtst32.exe, to check whether virus detection is working properly. If EICAR is detected during this test you do not need to follow the steps described in this KBA.

Applies to the following Sophos product(s) and version(s)

Sophos Endpoint Security and Control
Sophos Anti-Virus for Windows 2000+

Operating System
Windows XP only

What To Do

Change the order in which the Sophos Anti-Virus on-access scanner and the encryption software load during the computer's startup sequence (the startup priority), so that data is decrypted before it is scanned for viruses.

  1. Read the warning about editing the registry.
  2. Edit the following registry keys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
    \Services\SavOnaccessControl\Start

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
    \Services\SavOnaccessFilter\Start

    In both of these locations, set the DWORD values to 2 (the default is 1).
  3. Also, edit the registry key

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SAVService\DependsOnService

    and replace

    RPCSS

    with

    RPCSS
    SAVOnAccess Control
    SAVOnAccess Filter


    Separate each entry with a carriage return.

This change means that, when the computer start-up sequence runs, the Sophos on-access scanner loads after the encryption software.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments