Slow Remote copy of newly compiled files

Just want to say this is still a major problem.  Before we started using Sophos (were on Avast) publishing the main application I use from my machine to the web server where it installs from took 20 - 30 seconds.  Now with Sophos it takes 2 - 3 minutes.  Now that by itself isn't that bad.  The problem is when I publish while VPN'd in it can take 30 - 45 minutes which is completely unacceptable.  Not sure what can be done about this but it fairly annoying as I work from home a couple times a month and I dread having to push application changes when that happens.

Side note- I am VPN'd in using a RED device connected to a Sophos XG firewall so its Sophos everywhere.

Have you narrowed it down to a component of the endpoint software?

Do you have HMPA, SED and SAV installed on these computers?  One simple way to see is to run in a admin cmd prompt: fltmc.exe.  If you see:

Sophos Endpoint Defense
hmpalert
SAVOnAccess

Then:
"Sophos Endpoint Defense" is sophosed.sys and part of Sophos Endpoint Defense.
"hmpalert" is hmpalert.sys is part of HMPA
"SAVOnAccess" is SAVOnAccess.sys is part of SAV
All these file system filter drivers are in \windows\system32\drivers\.

I would first test ruling out HMPA, this driver injects the hmaplert.dll into process at startup and it also performs the cryptoguard.

So disable Tamper Protection on the computer, rename \windows\system32\drivers\hmaplert.sys to \windows\system32\drivers\hmpalert.sys.off and reboot.

This will rule out HMPA completely, do you still have the issue.  If no. Add it back and reboot, see the issue again, then disable Cryptoguard in policy as it could be this feature.

Having ruled out HMPA, the next test is to rule out SAV.  To do so, you can't unload the SAVonacess driver without stopping the SAVService.  Therefore:
sc stop savservice
fltmc unload savonaccess

This will stop the main SAVService and the second command will unload the savonaccess driver.

Do you see the issue then?
If no, then I would consider re-enabling it again, and maybe then disable on-acess|relatime scanning in policy.  Does the issue occur then?  Does disablingremote file scanning help?

If after disabling SAV and HMPA, you still have the issue then it could be sophosed.sys.  This can also be disabled but I can detail that more if you get this far.

Regards,
Jak

Have you narrowed it down to a component of the endpoint software?

Do you have HMPA, SED and SAV installed on these computers?  One simple way to see is to run in a admin cmd prompt: fltmc.exe.  If you see:

Sophos Endpoint Defense
hmpalert
SAVOnAccess

Then:
"Sophos Endpoint Defense" is sophosed.sys and part of Sophos Endpoint Defense.
"hmpalert" is hmpalert.sys is part of HMPA
"SAVOnAccess" is SAVOnAccess.sys is part of SAV
All these file system filter drivers are in \windows\system32\drivers\.

I would first test ruling out HMPA, this driver injects the hmaplert.dll into process at startup and it also performs the cryptoguard.

So disable Tamper Protection on the computer, rename \windows\system32\drivers\hmaplert.sys to \windows\system32\drivers\hmpalert.sys.off and reboot.

This will rule out HMPA completely, do you still have the issue.  If no. Add it back and reboot, see the issue again, then disable Cryptoguard in policy as it could be this feature.

Having ruled out HMPA, the next test is to rule out SAV.  To do so, you can't unload the SAVonacess driver without stopping the SAVService.  Therefore:
sc stop savservice
fltmc unload savonaccess

This will stop the main SAVService and the second command will unload the savonaccess driver.

Do you see the issue then?
If no, then I would consider re-enabling it again, and maybe then disable on-acess|relatime scanning in policy.  Does the issue occur then?  Does disablingremote file scanning help?

If after disabling SAV and HMPA, you still have the issue then it could be sophosed.sys.  This can also be disabled but I can detail that more if you get this far.

Regards,
Jak