[Latest KB's] Sophos Central: How to investigate scheduled scan times

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Special thanks to  for creating this Content!

Overview

This article describes the steps to investigate a scheduled scan taking a long time.

Applies to the following Sophos products and versions
Central Windows Endpoint

What to do

Scheduled scans can have a wide variation in their times, due to many factors. These can include: 

  • Total disk content size
    • The more data to scan, the longer it will take. eg: a 1TB drive with 900GB of data will take longer than a 1TB drive with 10GB of data
  • Archive Scanning
    • Scanning inside archives means that they have to be expanded and scanned. This can increase scan time significantly. eg: A 100MB zip file with a 60% compression ratio is 210MB of actual file content that has to be extracted and scanned. 
  • Scanning all files is enabled
    • This increases the amount of files and data that the scanner has to check. It is very dependent on the types of files on the disks being scanned
  • Type of disk (data throughput)
    • Solid state drives can access data much faster than spinning disks.
  • CPU usage of system
    • Scan tasks run as low priority, so if the system is busy with other functions, the scan will take a longer amount of time to complete
  • Types of files on disk
    • By default, we scan executable and exploitable files. The more of these that are present, the more we have to scan. e: A directory of JAR files (java executable compressed files) will get scanned and take a while longer (compressed files) than TXT files (no need to scan)

Scheduled scans are interrupted by restarting the Sophos Anti-virus service, which is done by Major updates (including VDL updates). IDE (threat) updates do not interrupt scheduled scans.

When investigating issues with scan performance, verify the items above. When possible, turn off features to eliminate possibilities.

To validate potential problem spots, SAV32cli can be used.

  1. Open an administrative command prompt, and go to C:\Program Files (x86)\Sophos\Sophos Anti-Virus
  2. Get a baseline test on the suspected problem areas: sav32cli -p=c:\scanlog.log <drive or folder path>
  3. Check the log file (c:\scanlog.log) for how long the scan took.
  4. Run another scan with additional options if it is only an issue with more options. -archive for Archive scanning, -all for scan all files. Use a different filename for the log for comparison. eg: sav32cli -archive -p=c:\scanlogTest.log <drive or folder path>
  5. This will illustrate the difference in the time it takes to run.

The drive of the folder path can be set to the most likely areas that are suspected of causing the scan to have difficulties. 

Reference: https://community.sophos.com/kb/en-us/135603 

Have an idea or suggestion regarding our Documentation, Knowledgebase, or Videos? Please visit our User Assistance forum on the Community to share your idea!



Edit Disclaimer
[edited by: GlennSen at 9:51 AM (GMT -7) on 5 Apr 2023]