Sophos for Microsoft SharePoint: On-access scanning seems to scan files that are not being accessed

Issue
On-access scanning seems to scan files that are not being accessed (uploaded/downloaded) by users.

Similar issues may be seen where On-access scan is quarantining the same file many times

Technical information
SharePoint periodically crawls the files in its store to build search indexes. This triggers on-access scanning, but the result of the scan (such as the replacement text) is not stored by SharePoint in this situation, which means that the next time the search crawl is performed the items are scanned again.

If the action for the on-access rule is to 'quarantine and replace' the item is quarantined multiple times, each time the SharePoint search crawl accesses it.

When the action for the on-access rule is set to 'replace' or 'quarantine and replace' the item is not replaced with a text message by SharePoint.

In all situations, log entries are generated each time the item is accessed by the SharePoint crawl.

Sophos product
Sophos for Microsoft SharePoint

What to do

You should use the information from the logs to review the on-access rules. For example,  if you have chosen to block a common phrase you might decide to edit the content rule so that the phrase is no longer blocked.

If you are willing to remove the items from the SharePoint store then you have to define a on-demand (or scheduled) scan similar to the on-access scan except that it has 'replace' or 'quarantine and replace' as action for the rules fired during the search crawl.

When the on-demand (or scheduled) scan is run the items will be removed from the store. Use this with care as the removed items cannot be restored.