Account permissions required by Sophos for Microsoft SharePoint

  • Article ID: 58866
  • Rating:
  • 1 customers rated this article 3.0 out of 6
  • Updated: 13 Jan 2016

This article outlines the required permissions of the services account and the user performing the installation.

Applies to the following Sophos product(s) and version(s)
Sophos for Microsoft SharePoint

Installing user

When installing Sophos for Microsoft SharePoint, you need to be logged on with local administrator rights. If you are in a domain, you must also be a domain user.

Note: By default the installer will create or attempt to use a local SOPHOS SQL instance for the Sophos for Microsoft SharePoint databases, if you want to use a different SQL instance then you need to be a member of the SQL Sysadmin role on this database server.

Services account

During the install you need to specify a services account for the Sophos for Microsoft SharePoint services. It is advised that the Farm account is not used because according to Microsoft guidance accounts used by application pools should not be in the Local Administrators group. The services account has the below requirements based on its scanning/cleaning functionality:

On-access (VSAPI) scanning for upload and download

  1. The services account needs to be a member of the below groups:

    Local Administrators
    Farm Administrators

  2. For SharePoint 2007 and above, this account also needs to added to the SharePoint_Shell_Access role by running the below command in the SharePoint Management Shell:

    PS C:\Add-SPShellAdmin DOMAIN\Account

  3. If SharePoint connects to your SharePoint databases using Windows authentication, the Sophos for Microsoft SharePoint services account must also be a member of the SQL sysadmin role on the database server

Note: The above permissions are required by the Microsoft SharePoint Virus Scanning API (VSAPI) interface, which is used by Sophos for Microsoft SharePoint for on-access anti-virus scanning

On-demand and scheduled scanning

The services account needs permissions to scan and clean items, as required by the permissions model in use.

Note: For a default SharePoint installation, Site Collection Administrator rights over the required sites are usually required, including the SharePoint Central Administration web site if you need to scan this site.

Related information / See also

Sophos for Microsoft SharePoint startup guide Version 2
Sophos for Microsoft SharePoint startup guide Version 3

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent