Windows Server 2012 R2 / Symantec Backup Exec 14.0
Recently migrated from Enterprise Console to Sophos Central Intercept X agent, previous backup time was around 7 / 7.5 hours before the new agent was installed.
I have transferred the exclusions that were configured in Enterprise Console to a new Threat Protection policy and applied to the backup server but the throughput has halved and the backup is now taking 15 hours to complete.
Removing Intercept X Endpoint and reverting back to the the previous Sophos Endpoint Protection returns the backup to previous performance so the problem is undoubtedly with Intercept X.
Has anyone suffered similar issues and been able to resolve?
Thank you for reaching out to the Sophos Community.
There is a commonly used scanning feature that may be contributing to the performance issues you are experiencing, the feature is known as "Remote file scanning". Is it possible for you to try turning this feature off to see if it improves the results you are getting? It is also possible to choose to apply certain policies at set times, so that this only goes into effect when your backups are scheduled to occur.
I recommend applying this change on the backup server specifically so that when data is being received it will not need to be scanned in transit.
Another option would be to exclude the Veritas Backup software from Intercept X's scanning. This can be done by using the guidance in the following KBA.- https://support.sophos.com/support/s/article/KB-000039185?language=en_US
Let me know if this helps.
Thank you for the reply.
Remote scanning is already disabled. I have added the Backup as a global exclusion for Exploit Mitigation.
Currently, I have every element of Intercept X Agent disabled (using the Admin Sign In) and performance is still terrible, appears to be a fundamental issue with Sophos that is cannot successfully ignore safe applications.
even if the BE version you are using is very old, this should work with Intercept-X. Cannot report huge impacts if the exclusions are set correctly.
There are a lot of dependencies based on you backup settings.
Agent based? VM-based?
Deduplication enabled? B2D?
You will need to follow the recommendations of Veritas about AV exclusions.
Most Exclusions will be Process Exclusions in "Policy type: Threat Protection : Device", not Exploit Mitigation or whatever.
Note that you will need exclusions on the BE Agent machines AND exclusions on the BE Server machine(s).
Also you will need folder exclusions for the backup target folders if backup to disk is the type of your backup on your BE Server.
just one part of possible exceptions for the BE Agents:
"It is recommended that the antivirus software be configured to exclude the Deduplication Storage Folder or at least by ensuring that it won't automatically delete or quarantine files in the Deduplication Storage Folder."
Installation is Agent based not VM, physical server and backup is direct from disk as affected machine is fileserver to directly connected tape drive.
All Veritas recommended exclusions have been added, these where all in use when using Enterprise Console and worked as you would expect.
Deduplication is not installed.
Would be useful to see any Sophos activity while the backup is running but I do not believe that is possible.
you would notice CPU load on the Sophos processes if they are active during beremote beeing in action.
Yes I would, i've checked and the the CPU load by Sophos is very low while the backup is running.
Rapidly running out of ideas on what I can try.
so you have a BE server and a server beeing fileserver with BE agent installed. On the fileserver there is the tape drive attached?
And you have set the exclusions on the BE server and the fileserver?
I wonder if this could be slowed down by some new sophos filter drivers.
This is probably going to be something for a support case.
Sorry no, setup is more straightforward, all on a single server incorporating backup exec host, fileserver duties and has tape drive attached.
I have already raised a high priority case with Sophos but sadly high priority means 24 + hours plus between replies which is frankly awful for a company providing a business critical service.
OK, understand. In the meantime you could check with perfmon if any Sophos processes touch / read files accessed by backup exec services during backup. But if this is caused by a driver, you will probably not find it there.
Is it possible for you to provide me with the Case ID?
An initial troubleshooting step you can use is as follows. This will help narrow down what component of Sophos AV is contributing most to the performance impacts you are seeing. Beyond this, there are some driver isolation steps that we can also use if no improvements are seen after proceeding through this.
I can add some feedback in the support case as well.
No problem, thank you for the assistance. The case ID is 04425737.