Troubleshooting CYRISMA Scans Failing Due to Sophos Endpoint Protection
A recent issue was identified where CYRISMA's unauthenticated vulnerability scans were failing within environments using Sophos Endpoint Protection. After thorough investigation, it was determined that Sophos was interfering with CYRISMA’s port scanning process, leading to premature scan failures. This article provides insights into the root cause of the issue and offers a step-by-step resolution to ensure smooth scanning operations within environments protected by Sophos.
Written by Liam Downward
Updated at January 30th, 2025
- User Manual
- Agents
- The Cyber Risk Assessment Process
- API Documents
- General Questions and Troubleshooting
- The Cyber Risk Assessment Process (Video Tutorials)
- Sales and Prospecting Articles
- CYRISMA Partner Portal Access
- Glossary
- CYRISMA Change Log
- Support Ticket SLA
- Onboarding Framework
- PSA Integrations
- Billing Questions
- Self Onboarding Guide
Table of Contents
Root Cause Analysis
What Happens During a CYRISMA Scan?
CYRISMA’s scan agent initiates a port scanning process to identify open ports.
The scanner attempts to execute a Python-based port scanner, which unpacks necessary files into the Windows temp directory.
Once port scanning completes, the full vulnerability scan proceeds.
Symptoms of the Issue
Scans fail within seconds instead of running for several minutes.
Logs show the port scanner process terminating prematurely.
Running the port scanner manually from outside the CYRISMA agent works correctly.
Disabling Sophos allows the scan to complete successfully.
No direct Sophos alerts indicate blocking, but logs suggest Python DLLs extracted to Windows temp were being blocked.
Why is This Happening?
Sophos detects the extracted Python files as a potential threat and blocks or removes them.
Sophos appears to be blocking processes that attempt to execute scripts or create temp files dynamically, even if CYRISMA’s core agent is whitelisted.
Traditional file/folder exclusions in Sophos are not sufficient to prevent this interference.
Resolution: Configuring Sophos to Allow CYRISMA Scanning
To prevent Sophos from blocking CYRISMA’s port scanner, follow these steps:
Step 1: Add Process Exclusions in Sophos
Log in to Sophos Central.
Navigate to Global Settings > Exclusions.
Click Add Exclusion and choose Process Exclusion.
Enter the following process path:
C:\Program Files\CYRISMA\Agent\cytcp.exeThis ensures that the CYRISMA port scanner is fully excluded from Sophos protection mechanisms.
Save the exclusion and allow Sophos to update policies on endpoints.
Step 2: Verify the Fix
Restart the CYRISMA agent service on the affected server.
Initiate a small unauthenticated scan with a known responsive target (e.g., two IPs).
If the scan completes successfully, try a full subnet scan.
Confirm that no scans fail prematurely.
Step 3: Deploy the Fix to All Affected Environments
If managing multiple customers, replicate this exclusion in all affected environments using Sophos Central’s policy management tools.
Key Takeaways
Sophos’ default security mechanisms may interfere with CYRISMA’s scans.
File/folder exclusions alone are insufficient—process exclusions are required.
Updating the Sophos exclusion settings resolves the issue without needing to disable endpoint protection.
This issue affects CYRISMA’s network discovery scans as well since they use the same port scanner.
Additional Notes
If issues persist, ensure that:
The latest version of the CYRISMA agent is installed (Agent 4.34 or later includes relevant fixes).
No other endpoint protection software is interfering.
Network policies allow outbound scanning activities.
For further assistance, contact CYRISMA support or refer to the Knowledge Base for additional troubleshooting steps.