Using PowerShell to Clean Up Sophos Temp Files

Recently I’ve encountered a strange issue that affected one Windows workstation with Sophos AV (Endpoint) software installed.  Sometimes this software creates some temporary files with ‘$$$’ extension and apparently it never removes them.

I thought that the process of analysis and implementing a solution for this edge case was perfect for an article and it is applicable to many similar situations when scripting is required to collect information or mitigate.

Scenario

Needless to say, to make the problem more interesting, these files were quite large (multiple GB) and the disk where the temporary folder is stored in the system drive (C).

In fact, this issue was found when one user reported that the system drive was getting low on disk space. To prevent that from happening again some sort of analysis and mitigation is required before finding the root cause and solve the issue.

This was not marked as an important/major issue, but we wanted to identify if other workstations were affected and have a plan for mitigating potential issues. The Sophos AV Endpoint solution was tested, deployed, and used for a few years by the client with no complaints reported previously.

I’ve found an article on Sophos ‘s official website, but one link to their knowledge base is unfortunately broken (there is more information about the KB at the end of this article directly from the Sophos support).

Quick Analysis / At Glance

All temporary files have this extension “$$$” and are created on this folder

the creation time is roughly the same, but apparently with no other pattern (not every day, not weekly or with a gap of months sometimes). The ownership of the files is pointing to be generated by the system account and not by a regular user.

AV Settings and Exclusions would not be effective with just these details

Without trying to guess why the AV is creating these files and point to a specific file or folder to set up exclusions based on type or path is not something that at this stage would be effective until there will be a more detailed analysis.

We can inspect the temp files and run procmon to see if the while AV scanning the workstation is generating these files during the scan and hopefully collect more facts.

In the meantime, let’s focus to create a couple of tools:

  • Scanning tool to identify how many machines are affected
  • Mitigation tool to remove the temporary files

Strategy for scanning your workstation for Sophos Temp Files

The size of the organisation, the number, type, and availability of workstations may suggest to you a different way of performing a full scan of all your machines according to your needs and resources.

Let start with something simple like this Powershell script from a single (privileged) workstation using an account with high privileges you can scan all your workstation for theses files.

With this end result in this case, just one single machine:

In my approach, I’ve just created a ‘scanning’ tool.

If you want to turn it into a monitoring tool, you can perform it an ad-hoc task or schedule it to run once a month and if there are any positive cases send an email or integrating with your monitoring solution if you monitor also your endpoints.

Other Ideas

For large deployments, a push-pull centralised method is probably preferable.

You can consider deploying this PowerShell script (in this case would be better digitally sign the script to avoid the risk of being tampered or misused) with some tweaks to all your workstations via:

  • SCCM
  • GPO

and more interestingly to collect the results (of workstations have temp files to remove) via:

  • email – you want to send out to a distribution list (or just to yourself )
  • chat message – Using an API to send you a message in a channel in MS Teams or Slack
  • azure storage table – Using an API to add a record to an azure storage table and using Azure Table Explorer or Powershell to view the final results. If you have enough time to spend you can use Power-BI or Excel with a plugin to create a report/dashboard for it.

How to mitigate

For me the best result with the least effort would be a band-aid ( or a quick and dirty) approach it’s better than nothing, without knowing exactly the root cause is maybe the logical way to go.

In my case, I’ve scheduled a daily script to run with a 10/30 minute delay from the average pattern of file creation. It means that at least the risk of filling the disk would be limited.

A simple script that does the job would be this one:

Now, let’s add some checks and make it more “robust” and to generate some human-readable output and some validation of the paths and variables.

Band-Aid vs Silver Bullet

This approach is focused on preventing Sophos AV to fill up the disk by generating large temporary files that are never removed.

Band-Aids are way cheaper to implement than silver bullets for sure, but they are not as effective.

So once you know your risk profile or in other words once you have found how many times this issue happened or the number of affected workstations and the likelihood that this will happen again you will choose for yourself if you want to find the root cause and fix it or not.

Other Options

  • Change Sophos Endpoint installation directory to use a different folder and bigger drive (e.g. D or E if available) than the system drive (C).
  • Contact Sophos Support.

Update from Sophos Support

I’ve received a prompt response from the Sophos Support regarding the broken link and the KB:


The contents of the folder mention these details:

You have one or more files with a $$$ file extension that are very large in one of the following locations:
• C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Temp
• C:\ProgramData\Sophos\Sophos Anti-Virus\Temp
These are temporary files that have been extracted by the scanning engine while scanning an archive file larger than 1MB and are normally removed when the scan has successfully completed.

If a scan has been forcibly terminated (not cancelled) through ending a Sophos process then the file(s) will remain and must be removed manually.

What to do
1. Stop the Sophos Anti-Virus service (SavService.exe).
2. Delete the $$$ files.
3. Restart the Sophos Anti-Virus service.


This response from the software vendor was attached to the case and provided to the client.

As usual, these scripts are available on my GitHub repository.

One Reply to “Using PowerShell to Clean Up Sophos Temp Files”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.