Reply
Frequent Advisor
tedz
Posts: 126
Registered: ‎Fri 03-Jun-2011
0

SavService.exe 100% CPU usage

Hi,

 

We incountered a problem of sophos server when I see the task Manager SavService.exe 100% CPU usage it caused to hang up the server. Please help our problem.

 

tedz

VIP
wickedkittenz
Posts: 88
Registered: ‎Thu 08-Apr-2010

Re: SavService.exe 100% CPU usage

Hello Tedz

 

This may be configuration related. You can configure Sophos to be extreme with scanning. 

 

Starting off on the basics;

 

Does this happen at certain times of the day (Consider schedule scans, what is configured and if it is at a lower priority)

Does this happen when accessing ZIP files, or large files such as architecture pictures (perhaps consider excluding these file types)

Does this happen when using certain programs which may use Databases, JAVA, (This could be emulation - consult Sophos)

 

Is this on startup, when an update happens, when a backup is taking place.

 

What version of Sophos is installed?

Programs like process monitor could give us some more insight.

 

Looking forward to the response :smileyhappy: 

Frequent Advisor
tedz
Posts: 126
Registered: ‎Fri 03-Jun-2011
0

Re: SavService.exe 100% CPU usage

Hi wickedkittenz,

 

Some times when start up the pc or the pc is all ready on and they will totaly unused by the user due to the cpu usege 100% and it  takes time to wait.

SEC:5.0 Enpoint: 10.0

 

thanks,

 

Teddy

 

 

VIP
wickedkittenz
Posts: 88
Registered: ‎Thu 08-Apr-2010

Re: SavService.exe 100% CPU usage

Hi Teddy

 

 

Is there a common factor across these machines, maybe an internal program being used?

Are they XP, Vista, Windows 7?

Are scheduled scans configured and when are they configured to run?

 

It might be worth looking into then about the updating (if it is on startup), what configurations are in place in the updating policy applying to those machines? 

 

:smileyhappy:

Occasional Visitor
uni101
Posts: 1
Registered: ‎Sun 10-Jun-2012
0

Re: SavService.exe 100% CPU usage

Hi i am also experiencing the same problem. I am running windows 7 and it is not searching for new updates because they have all been unstalled. When i am using my computer the CPU will shoot up to 100%. I looked under resources in task manager CPU and it is always due to savservice.exe. Any information on how to prevent this?

 

Many thanks

Executive VIP
jak
Posts: 1,813
Registered: ‎Sat 19-Dec-2009
0

Re: SavService.exe 100% CPU usage

[ Edited ]

Hi,

 

Can you rule out a scheduled scan taking place during these times?  The SAV main interface (SAVMain.exe) will show any on-demand scans taking place in the bottom left (as long as you have rights to see them).

 

Also I assume the scanning options (on-access) haven't been changed from the defaults or at least the defaults have been restored to see if it helps.  Scanning inside archive files on-access or scan all files for example.

 

It is possible to turn on logging in the SAV driver to log what it's looking at.  To do so, add a DWORD value called LogFlags under the driver key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVOnAccess\

For Vista, Win 7, 2008 and 2008R2.

For XP/2003 it is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVOnAccessControl\

 

Setting it to 15 (decimal) will do.  For full logging you can set it to hex FFFFFFFF but that is more than we need and will just slow things down further.

 

Once created, restart the SAVService, the standard logfile SAV.txt will then have the details.  The log will grow quite quick so remember to remove the DWORD value and restart the service.  The sav.txt log file is in the following locations depending on OS:

C:\ProgramData\Sophos\Sophos Anti-Virus\logs\  (Vista+)

C:\documents and settings\all users\application data\Sophos\Sophos Anti-Virus\logs\ (XP/2003)

 

I've just knocked together a quck script (it is for Windows Vista, Win7, 2008 only based on the paths and registry keys, although you could change the paths: registry and logs directory to those mentioned above) to automate this and collate a results file with all files accessed more than once ordered by the number of entries in the log.  Maybe that would be worth a try.  VBScript is at the bottom of the post.  Save as something.vbs and run it.   Maybe you could upload the results file/contents here.

 

The problem is, adding the key requires the restart of the service.  This will of course reset the cache of what has already been scanned so the service will be doing more again than normal at startup.  Having said that it may still be useful.  The other apprach would be to use ProcessMonitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) to see what SAVService.exe is doing.  Maybe some exclusions could be added or problem files identified.

 

Regards,

Jak

 

'Constants
const HKEY_LOCAL_MACHINE = &H80000002
Const ForReading = 1
Const ForWriting = 2

'Variables
strPathToLogs               = "C:\ProgramData\Sophos\Sophos Anti-Virus\logs\"
strSAVFileName              = "SAV.txt"
strSAVFileDebug             = "SAVDebug.txt" 
strSAVOrig                  = "SAVOrig.txt"
strResultFile               = "SAVResults.txt"
strServiceName              = "SAVService"
intTimeToStopServiceInSecs  = 10 
intTimeToStartServiceInSecs = 10
strKeyPath                  = "SYSTEM\CurrentControlSet\Services\SAVOnaccess"
strValueName                = "LogFlags"
IntDebugValue               = 15
intSAVServiceSettleTimeMins = 1
intTestTimeMins             = 3
strFilter                   = "on-access driver log information: check local file "
blnCScriptEcho              = false
intLimitResultToFilesAcc    = 1

Wscript.echo "Once complete, this script will create a file called: " & strResultFile & " in the same directory.  Please wait for a completed message."

'Create Objects
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")

'Stop Service
Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='" & strServiceName & "'")
For Each objService in colListOfServices
	if blnCScriptEcho then
    	Wscript.echo "Stopping SAVService..."
	end if
    objService.StopService()
Next

'Wait for the service to stop
wscript.sleep intTimeToStopServiceInSecs * 1000

'Delete any pre-existing debug sav.txt from previous runs
if objFSO.FileExists (strPathToLogs & "\" & strSAVFileDebug) then
	if blnCScriptEcho then
		wscript.echo "Deleting any pre-existing " & strSAVFileDebug & "."
    end if
	objFSO.deleteFile strPathToLogs & "\" & strSAVFileDebug, True
end if

'Delete any pre-existing results files from previous runs
if objFSO.FileExists (strResultFile) then
	if blnCScriptEcho then
		wscript.echo "Deleting any pre-existing " & strResultFile & "."
    end if
	objFSO.deleteFile strResultFile, True
end if

'Delete any pre-existing orig files from previous runs
if objFSO.FileExists (strPathToLogs & "\" & strSAVOrig) then
	if blnCScriptEcho then
		wscript.echo "Deleting any pre-existing " & strSAVOrig & "."
	end if
    objFSO.deleteFile strPathToLogs & "\" & strSAVOrig, True
end if

'Backup Existing SAV.txt so we can restore it later
if objFSO.FileExists (strSAVFileName) then
	if blnCScriptEcho then
		wscript.echo "Backing up existing " & strSAVFileName & " to restore later."
	end if
	objFSO.MoveFile strPathToLogs & "\" & strSAVFileName, strPathToLogs & "\" &strSAVOrig
end if

'Create LogFlags Key
dim objReg : Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
if blnCScriptEcho then
	wscript.echo "Creating registry key: " & strKeyPath & "\" & strValueName & " Value:" & IntDebugValue & "."
end if
objReg.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, IntDebugValue

'Start Service
For Each objService in colListOfServices
	if blnCScriptEcho then
		Wscript.echo "Starting SAVService..."
	end if
    objService.StartService()
Next

Wscript.sleep intTimeToStartServiceInSecs
if blnCScriptEcho then
	Wscript.echo "Waiting " & intSAVServiceSettleTimeMins & " minutes to settle."
end if
Wscript.sleep intSAVServiceSettleTimeMins * 60000

Wscript.echo "Please use the computer as you would for the next " & intTestTimeMins & " minutes in order to reproduce the high CPU usage."
Wscript.sleep intTestTimeMins * 60000

if blnCScriptEcho then
	Wscript.echo "Time is up."
end if

For Each objService in colListOfServices
	if blnCScriptEcho then
		Wscript.echo "Stopping SAVService..."
	end if
    objService.StopService()
Next

if blnCScriptEcho then
	Wscript.echo "Analyzing results..."
end if

'Wait for the service to stop
wscript.sleep intTimeToStopServiceInSecs * 1000

'Create a Dictionary to hold the lines (key) und their frequencies
Set objDictionaryLines = CreateObject("Scripting.Dictionary")

'Open the file for reading
Set objFile = objFSO.OpenTextFile(strPathToLogs & "\" & strSAVFileName, ForReading, false, -1)

'Loop until end of stream
Do Until objFile.AtEndOfStream

'Read each line
    strLineIn = lcase(objFile.ReadLine)
	intL = instr(strLineIn, strFilter) 
    if intL > 0 then
      strFilteredLine = mid(strLineIn, (intL+len(strFilter)))
    end if

    'If line is not already in dictionary, add Item and set key value to 1. If line is already in dictionary, increment key value
    If Not objDictionaryLines.Exists(strFilteredLine) Then
        objDictionaryLines.Add strFilteredLine , 1
    Else
        objDictionaryLines( strFilteredLine ) = objDictionaryLines( strFilteredLine ) + 1
    End If
Loop
objFile.Close

Set objDictSorted = SortDictionary(objDictionaryLines)

Set objFileOut = objFSO.OpenTextFile(strResultFile, ForWriting, True, -1)
For Each i In objDictSorted
    if len(i)> 0 then 
		if objDictSorted.Item(i) > intLimitResultToFilesAcc then
			objFileOut.writeline "[" & objDictSorted.Item(i) & "] " & i
		end if
    end if
Next
objFileOut.close 
 
'delete logflags key
objReg.DeleteValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName
 
'move new sav.txt to savdebug.txt
if objFSO.FileExists (strPathToLogs & "\" & strSAVFileName) then
    objFSO.MoveFile strPathToLogs & "\" & strSAVFileName , strPathToLogs & "\" & strSAVFileDebug
end if

'move original back to SAV.txt
if objFSO.FileExists (strPathToLogs & "\" & strSAVOrig) then
    objFSO.MoveFile strPathToLogs & "\" & strSAVOrig, strPathToLogs & "\" & strSAVFileName
end if 
 
'Start Service
For Each objService in colListOfServices
    objService.StartService()
Next

Wscript.echo "Completed analysis.  The file " & strResultFile & " is in the same directory as the script."

  
'Functions ----------------------------------------------
Function SortDictionary(ByVal objDict)
 Dim i, j, temp
 
 For Each i In objDict
  For Each j In objDict
   If(objDict.Item(i) <= objDict.Item(j)) Then
    temp = objDict.Item(i)
    objDict.Item(i) = objDict.Item(j)
    objDict.Item(j) = temp
   End If
  Next
 Next

 Set SortDictionary = objDict

End Function
'---------------------------------------------------------

 

Frequent Visitor
mmcmillan
Posts: 5
Registered: ‎Mon 16-Sep-2013
0

Re: SavService.exe 100% CPU usage

That VBS script gives me an error:


Line: 28

Char: 1

Error: 0x80041021

Code: 80041021

Source: (null)