Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 4760 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Event Log Messages

Tudor

I keep getting the following  Event Log messages from SAVOnAccess:

File \Device\HarddiskVolumeShadowCopy38\pagefile.sys not checked. Files larger than 4GB are not supported by on-access scanning.

Also on lots of other files greater than 4GB.

1 - Should this be checking the pagefile.sys?

2 - How do I surpress these event log messages, I know Sophos does not check files greater than 4GB. I keep getting the messages everytime I backup my system. I have <Configure>,<Messaging>,<Event Log> set to record events, but I do NOT have "Scanning Errors (e.g. access denied)" ticked.

:603


This thread was automatically locked due to age.
  • 0

    I've sent a support query in November (#1443439). The case has been closed without solution (but with my consent - at that time the files triggering this behaviour didn't grow over a few MB).

    Messaging settings have no effect, that's right - haven't checked whether excluding them rom scan does help. Which SAV version - if I can trust my reports it's been 7.6.13 in our case.

    Christian

    :630
  • 0

    Just yesterday a co-worker came in because a server was all but unresponsive and as he saw the ominous "larger than 4GB" messages he though he'd ask me (the Sophos "expert").

    "Fortunately" this was still going on and I found the following:

    • On the server is an application collecting all kinds of events and messages and consolidating them
    • The application uses sort of wrap-around cache which grows and shrinks more or less proportional to the message rate
    • Under certain circumstances this cache grows over 4 GB and then the fun starts
    • Sophos issues the 4 GB message which is captured and written to the file which triggers another message and so on.
    • The write seems to be buffered so eventually the storm abates, the file shrinks and all is well again.

    The good news: If you exclude the file from scanning it does help

    Christian

    :2775
  • 0

    This keeps haunting me. Today I noticed once more the server's SAV.txt (8GB) and system event log filling with these messages.

    I have turned off event logging for Scanning errors and Other errors - obviously does not help. Also I have tried to exclude the folder \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\CA\DSM\logs\ but it seems this too doesn't help. Looks like the only way to avoid these errors is to exclude a file pattern (fortunately there's a common prefix). 

    I fear I have to call support (unless some kind soul reading this does it for me) - but not today.

    Christian

    :3309
  • 0

    Here are the results ...

    You can't exclude a path like \Device\HarddiskDmVolumes\... If you can determine the path with the drive letter (e.g. E:\CA\DSM\logs\)  excluding it (don't forget the trailing backslash) indeed works (as does as already said the file pattern).

    The only remaining question is, why this message is in the Informational category and thus can't be suppressed using the AV policy.

    Christian

    :3345
Unfiltered HTML