OK, so you are saying that as a client, it wouldn't be exposing port 990 - it is only using port 990 for external connections, therefore I have something else on the server unrelated to WinSCP that I need to find. Thanks for the clarification.

To find what was using the port, in a command prompt, ran "netstat -o -n -a | find "0.0:990". This returned a PID which I could look up in Task Manager Details tab. Found it was FileZilla server. Needed to edit the settings XML C:\Program Files (x86)\FileZilla Server\FileZilla Server.xml and change the value from 0 (TLS 1.0) to 1 (TLS 1.1) <Item name="Minimum TLS version" type="numeric">1</Item> (value 2 = TLS 1.2)

WinSCP is not a server. It's a client.

We received a PCI failure on port 990 - that TLSv1 cipher suites were exposed and available. I have set the minimum TLS for the single WinSCP site to be 1.1, but the scan still fails. I am not aware of anything else on the server using port 990. Is there anywhere else I can disable TLS 1.0 in WinSCP? Does something have to be restarted for it to take effect? I don't see any WinSCP service in running services.