AV Client PC slow after intital boot

Is it fair to say that the delay is mostly observed when the client actually performs and update?  For example, if the machine has been off for a number of hours, the chances are when it starts up it will require a new ide file or possibly even a new version of the software.  Essentially at the same time the machine is starting up, services starting, processes being launched, Sophos AutoUpdate is checking for updates to a number of packages and potentially installing software. 

It’’’’s really a trade off between detection and performance at this point.  The longer the update is postponed in the start-up cycle, the greater the risk to the machine so a compromise must be met.

Traditionally when detection was largely based around signatures the sooner the machine was updated the better.  With anti-malware solutions now having far more layers of detection, HIPS, BOPS, etc... It could be argued that the machine may be “safer” for longer as they are able to heuristically detect a good portion of new malware.   Again it’’’’s a trade off but these advancements certainly add to the equation.

As a test I would recommend the following to better understand why and what may be causing the delay.

1.     If you start the machine up, leave it running for 5 or so minutes and ensure that it is up to date and in sync with the update location it is pointing to.  I would suggest performing an “update now” and check that it is all up to date.  Then reboot the machine.  Does the machine start-up any quicker?  This should rule out an actual update causing the slow down.

2.    The next thing to rule out would be the “check” to see if an update is available, to do so I would suggest disabling the “Sophos AutoUpdate Service” using services.msc (set the service to start-up type “disable”) and then reboot.  Is this any quicker, this would rule out a check and an update?  Remember set the service back to auto-start.
Clearly both of these things will have an impact on machine start-up as the machine is doing less work.  I guess the question then becomes is boot time significantly affected.

If deemed worthwhile and understanding the trade-off mentioned above, to change the behaviour of Sophos AutoUpdate from performing an update as soon as the “Sophos Auto Update Service” starts you can do as follows:

With Sophos Anti-virus version 7, you can change the following registry key detailed in this article:
http://www.sophos.com/support/knowledgebase/article/27646.html.  To test it works, if you restart the Sophos AutoUpdate service, you should now see in Task Manager that the process Alupdate.exe does not get spawned by the service process at start-up.

If you are using Sophos Endpoint Security and Control version 9.  Then this does not need to be set, the service by default will not spawn an update straight away but can be controlled by the registry key:
HKLM\SOFTWARE\Sophos\AutoUpdate\StartupDelay
where StartupDelay should be a DWORD value, which sets the number of seconds before the service starts an update.
E.g.
[HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate]
"StartupDelay"=dword:0000000a
Would be a 10 seconds delay in checking for an update after the Sophos AutoUpdate Service starts.

Once we have ruled out update checks and installing new updates, we should next focus on access-scanning and the anti-virus component of the endpoint protection.

Although slightly heavy handed, the first test should probably be to disable the on-access anti-virus protection.  If you disable on-access scanning and reboot, is the time significantly cut short?  If so, we know it’’’’s just the work the service is performing to scan files and then we can take steps to reduce this. 

To do so, I would next check what else is starting on the machine using a tool such as msconfig.exe or Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx).  There may be a number of applications that could be removed from start-up, this will help, as Sophos would have to scan all the components of these at start-up.
If this doesn’’’’t help as you are unable to gain any advantage there, try disabling certain components within Sophos Anti-Virus such as BOPS, HIPS, etc.. Also consider reverting back any configuration options to the defaults.    Does this help? Once we understand what exactly is affecting the timings we can help them.

Worthwhile tools which can help to diagnose the problem further might be:
ProcessMonitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx), in particular the “log boot” option for this scenario.
LoadOrder (http://technet.microsoft.com/en-us/sysinternals/bb897416.aspx) might also give you some insight on what might be going on at start-up.

Hopefully this gives you a number of things to try and narrow down what specifically may be contributing to the start-up speed of the machine.

Thanks.

---

Elmo wrote:

http://www.sophos.com/support/knowledgebase/article/27646.html. 

Minor glitch - remove the extra "." :

http://www.sophos.com/support/knowledgebase/article/27646.html. 

I have done this for sophos anti virus nine and it is still slow i might be adding the dword wrong could you please show me a picture of what you are doing in regedit

i have a dual core AMD athalon x64 6000+ with 2 gb ram xp home alot better than an old laptop.

David