Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 13 subscribers
  • Views 1995 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint realtime filescan on server causes high io write with $$$ files

DuS

Hello Sophos community,

is anybody able to tell me, why Sophos Endpoint needs a pretty noticable amount of write io directly on disk?

I can see the following in the servers ressource monitor every minute, as soon as realtime filescanner service is online:

Sophos is writing into a temporary folder with some .$$$ files. At first it looked fishy to me, but then I figured, that Sophos produces such temporary files for "complex scanning operations".

But why the heck do they need to be on disk? I would rather see them in RAM?

AND: Is there any way to figure out, what Sophos is scanning at the moment such high io is produced?

I came across this issue, because I am trying to find the bottleneck for our CAD software performance and it seems to lead me to io write performance. Sadly it wasn't as simple as just excluding the CAD share from real time scanning, just so you know.

Do others also see this behaviour? Is there a logical reasoning for this and is there a good approach to reduce the amount of io write requests from Sophos Endpoint on our servers?

I appreciate your feedback!

Kind regards,

David



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Sophos User930

    Thank you very much for your reply. There is no on-demand scan active and also no deep scan. I was able to remove those $$$ file writes immediately, when I disabled realtime filescanning for testing purpose.

  • 0 in reply to DuS

    In that case, finding out the files being scanned is the way to go.

    Just running Process Monitor when the behaviour is occurring will probably make it reasonably obvious but the debug logging of SFS will be the most definitive.

    There is this reg key: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EndpointDefense\EventLog | VerboseLogging = 1 you can set  and restart SSPService. The files scanned are logged to the ApplicationEvent log but that will probably be too noisy and trample all over your event log. It may also not be apparent as to which files scanned are causing the temp files.

    For that reason, enabling the logging of SophosFileScanner (debug) is probably best.  You can also do it from Endpoint Self Help now I believe under the "Tools" tab -> Product Logging -> SFS section.

Unfiltered HTML