Hello Sophos community,
is anybody able to tell me, why Sophos Endpoint needs a pretty noticable amount of write io directly on disk?
I can see the following in the servers ressource monitor every minute, as soon as realtime filescanner service is online:
Sophos is writing into a temporary folder with some .$$$ files. At first it looked fishy to me, but then I figured, that Sophos produces such temporary files for "complex scanning operations".
But why the heck do they need to be on disk? I would rather see them in RAM?
AND: Is there any way to figure out, what Sophos is scanning at the moment such high io is produced?
I came across this issue, because I am trying to find the bottleneck for our CAD software performance and it seems to lead me to io write performance. Sadly it wasn't as simple as just excluding the CAD share from real time scanning, just so you know.
Do others also see this behaviour? Is there a logical reasoning for this and is there a good approach to reduce the amount of io write requests from Sophos Endpoint on our servers?
I appreciate your feedback!
I wonder if it's from real-time scanning or from an on-demand scan?
Is SophosScanCoordinator.exe running? That would suggest an on-demand scan is taking place. That would be more likely to have scan inside archives enabled.
As for what is being scanned:
After installing Sophos, the Tasy Java Management System is slow
might help you.
Thank you very much for your reply. There is no on-demand scan active and also no deep scan. I was able to remove those $$$ file writes immediately, when I disabled realtime filescanning for testing purpose.
In that case, finding out the files being scanned is the way to go.Just running Process Monitor when the behaviour is occurring will probably make it reasonably obvious but the debug logging of SFS will be the most definitive.
There is this reg key: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EndpointDefense\EventLog | VerboseLogging = 1 you can set and restart SSPService. The files scanned are logged to the ApplicationEvent log but that will probably be too noisy and trample all over your event log. It may also not be apparent as to which files scanned are causing the temp files.
For that reason, enabling the logging of SophosFileScanner (debug) is probably best. You can also do it from Endpoint Self Help now I believe under the "Tools" tab -> Product Logging -> SFS section.
when I have the time, I will invest in trying to find out, which files are scanned, while massive io load is produced.
However, the main issue that is on my mind is: Why is this temporary file writing not happening in RAM but using up a lot of IO ressources? What is the reason? Am I the only one questioning this?
If you have, say a 500MB archive, it could potentially contain GB of data. The idea of trying to manage that all in RAM and the effects that would have on the computer would be worse than a bit of disk IO which typically only happens when scanning inside archives.