Sophos Endpoint: How to enable and disable on-access driver logging

When troubleshooting issues involving the on-access scanner, it may be necessary to log the Sophos Anti-Virus (SAV) on-access scanner actions performed on files.

Note: This level of logging should only be used for debugging purposes and should not be left enabled for long periods as it greatly increases the size of the SAV.txt log file.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Central Managed Endpoint

Sophos Endpoint Security and Control

This procedure involves modifying your registry. Before attempting this procedure, read and understand the warning and instructions in Editing the Windows registry. Also, the tamper protection has to be disabled before doing the steps below.

When enabled, SAV.txt log can quickly fill a large number of entries and increase in size. For this reason, make sure to enable logging for a time, gather necessary troubleshooting logs and disable it.

  1. At the Start menu, either click Start > Run or from the Search box, type Regedit and press Enter.
  2. If prompted by User Account Control, click Yes to open the Registry Editor. This will open the Registry Editor.
  3. Browse to the following registry locations:

    Operating Systems Registry locations
    Windows XP/ 2003 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSAVOnAccessControl
    Windows Vista/ 7/ 8/ 10/ 2008/ 2012/ 2016 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSAVOnAccess
  4. Create a new DWORD value and name it LogFlags.
  5. Enter the following data value for LogFlags: 000000FF.

  6. From the Search toolbar or run command, type services.msc to open the Services Management Console.

  7. Scroll to the Sophos Anti-Virus service, right-click this and choose Restart.
  8. On-access logging will be now be recorded in the SAV.txt file in the following folder locations:

    Operating Systems Folder Locations
    Windows XP/ 2003 C:Documents and settingsall usersapplication datasophossophos antiviruslogs
    Windows Vista/ 7/ 8/ 10/ 2008/ 2012/ 2016 C:ProgramDataSophosSophos Anti-Viruslogs

  1. At the Start menu, either click Start > Run or from the Search box, type Regedit and press Enter.
  2. If prompted by User Account Control, click Yes to open the Registry Editor. This will open the Registry Editor.
  3. Browse to the following registry locations:

    Operating Systems Registry locations
    Windows XP/ 2003 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSAVOnAccessControl
    Windows Vista/ 7/ 8/ 10/ 2008/ 2012/ 2016 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSAVOnAccess
  4. Delete the DWORD:LogFlags.
  5. At the Taskbar, click Start| Run. Type Services.msc and press Return.

    This will open the Services Management Console.
  6. Scroll to the Sophos Anti-Virus service, right-click this and choose Restart. This should now disable on-access logging.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Leave a Reply