This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint realtime filescan on server causes high io write with $$$ files

Hello Sophos community,

is anybody able to tell me, why Sophos Endpoint needs a pretty noticable amount of write io directly on disk?

I can see the following in the servers ressource monitor every minute, as soon as realtime filescanner service is online:

Sophos is writing into a temporary folder with some .$$$ files. At first it looked fishy to me, but then I figured, that Sophos produces such temporary files for "complex scanning operations".

But why the heck do they need to be on disk? I would rather see them in RAM?

AND: Is there any way to figure out, what Sophos is scanning at the moment such high io is produced?

I came across this issue, because I am trying to find the bottleneck for our CAD software performance and it seems to lead me to io write performance. Sadly it wasn't as simple as just excluding the CAD share from real time scanning, just so you know.

Do others also see this behaviour? Is there a logical reasoning for this and is there a good approach to reduce the amount of io write requests from Sophos Endpoint on our servers?

I appreciate your feedback!

Kind regards,

David



This thread was automatically locked due to age.
Parents
  • Hello together,

    when I have the time, I will invest in trying to find out, which files are scanned, while massive io load is produced.

    However, the main issue that is on my mind is: Why is this temporary file writing not happening in RAM but using up a lot of IO ressources? What is the reason? Am I the only one questioning this?

    Kind regards,

    David

Reply
  • Hello together,

    when I have the time, I will invest in trying to find out, which files are scanned, while massive io load is produced.

    However, the main issue that is on my mind is: Why is this temporary file writing not happening in RAM but using up a lot of IO ressources? What is the reason? Am I the only one questioning this?

    Kind regards,

    David

Children
  • If you have, say a 500MB archive, it could potentially contain GB of data. The idea of trying to manage that all in RAM and the effects that would have on the computer would be worse than a bit of disk IO which typically only happens when scanning inside archives.