Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • Create a Support Ticket
  • Partner Portal
  • CYRISMA MSP Dashboard
  • Home
  • General Questions and Troubleshooting
  • Scanning Troubleshooting

Troubleshooting CYRISMA Scans Failing Due to Sophos Endpoint Protection

A recent issue was identified where CYRISMA's unauthenticated vulnerability scans were failing within environments using Sophos Endpoint Protection. After thorough investigation, it was determined that Sophos was interfering with CYRISMA’s port scanning process, leading to premature scan failures. This article provides insights into the root cause of the issue and offers a step-by-step resolution to ensure smooth scanning operations within environments protected by Sophos.

Written by Liam Downward

Updated at January 30th, 2025

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • User Manual
    Overall Risk Dashboard Agent Status Report Builder Data Scan Vulnerability Scan Secure Baseline Compliance Mitigation Dark Web MSP Interface Instance Admin
  • Self Onboarding Guide
  • Agents
  • The Cyber Risk Assessment Process
  • PSA Integrations
  • General Questions and Troubleshooting
    Agent Troubleshooting Scanning Troubleshooting
  • The Cyber Risk Assessment Process (Video Tutorials)
  • Sales and Prospecting Articles
  • CYRISMA Partner Portal Access
  • Glossary
  • API Documents
  • CYRISMA Change Log
  • Support Ticket SLA
  • Billing Questions
+ More

Table of Contents

Root Cause Analysis What Happens During a CYRISMA Scan? Symptoms of the Issue Why is This Happening? Resolution: Configuring Sophos to Allow CYRISMA Scanning Step 1: Add Process Exclusions in Sophos Step 2: Verify the Fix Step 3: Deploy the Fix to All Affected Environments Key Takeaways Additional Notes

Root Cause Analysis

What Happens During a CYRISMA Scan?

CYRISMA’s scan agent initiates a port scanning process to identify open ports.

The scanner attempts to execute a Python-based port scanner, which unpacks necessary files into the Windows temp directory.

Once port scanning completes, the full vulnerability scan proceeds.

Symptoms of the Issue

Scans fail within seconds instead of running for several minutes.

Logs show the port scanner process terminating prematurely.

Running the port scanner manually from outside the CYRISMA agent works correctly.

Disabling Sophos allows the scan to complete successfully.

No direct Sophos alerts indicate blocking, but logs suggest Python DLLs extracted to Windows temp were being blocked.

Why is This Happening?

Sophos detects the extracted Python files as a potential threat and blocks or removes them.

Sophos appears to be blocking processes that attempt to execute scripts or create temp files dynamically, even if CYRISMA’s core agent is whitelisted.

Traditional file/folder exclusions in Sophos are not sufficient to prevent this interference.

Resolution: Configuring Sophos to Allow CYRISMA Scanning

To prevent Sophos from blocking CYRISMA’s port scanner, follow these steps:

Step 1: Add Process Exclusions in Sophos

Log in to Sophos Central.

Navigate to Global Settings > Exclusions.

Click Add Exclusion and choose Process Exclusion.

Enter the following process path:

C:\Program Files\CYRISMA\Agent\cytcp.exe

This ensures that the CYRISMA port scanner is fully excluded from Sophos protection mechanisms.

Save the exclusion and allow Sophos to update policies on endpoints.

Step 2: Verify the Fix

Restart the CYRISMA agent service on the affected server.

Initiate a small unauthenticated scan with a known responsive target (e.g., two IPs).

If the scan completes successfully, try a full subnet scan.

Confirm that no scans fail prematurely.

Step 3: Deploy the Fix to All Affected Environments

If managing multiple customers, replicate this exclusion in all affected environments using Sophos Central’s policy management tools.

Key Takeaways

Sophos’ default security mechanisms may interfere with CYRISMA’s scans.

File/folder exclusions alone are insufficient—process exclusions are required.

Updating the Sophos exclusion settings resolves the issue without needing to disable endpoint protection.

This issue affects CYRISMA’s network discovery scans as well since they use the same port scanner.

Additional Notes

If issues persist, ensure that:

The latest version of the CYRISMA agent is installed (Agent 4.34 or later includes relevant fixes).

No other endpoint protection software is interfering.

Network policies allow outbound scanning activities.

For further assistance, contact CYRISMA support or refer to the Knowledge Base for additional troubleshooting steps.

cyrisma sophos scans failing end point protection

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Troubleshooting Agent Installation Problems
  • Why Does Endpoint Protection Like ThreatLocker Block the CYRISMA Agent Installation?
  • Troubleshooting CYRISMA Agent Provisioning Failures: Checking the "Server" Service

Partners
pax8
CDW
Stellar Cyber
RedSky Alliance

Request A Demo
Platform
  • Platform Overview
  • Resellers
  • Managed Service Providers
  • Request A Demo
  • Platform Overview
  • Resellers
  • Managed Service Providers
  • Request A Demo
Resources
  • Case Studies
  • White Papers
  • Videos
  • Blog
  • Press Release
  • Events
  • Case Studies
  • White Papers
  • Videos
  • Blog
  • Press Release
  • Events
Contact Us
Address: 510 Clinton Square, Rochester, New York, USA, 14604

Email: info@cyrisma.com

Phone: 1-585-620-2496

Easiest To Do Business With Summer 2023
Category Leader Channel Program
Capterra
Software Advice

Terms of Use          Privacy Policy

Copyright © 2024 – Data Spotlite, Inc All rights reserved.
Expand