Sophos slow down while printing

Hello

I excluded C:\Windows\System32\spool which is the spool folder for printer drivers and for printing.

Now the printing is fast, but i need to test it on more computers.

I also think, that this workaround not the best solution, I can't imagine why sophos slowing down the printer drivers.

Hi Sandy,

I tested this on many other computers and also I tested other Konica drivers, but the problem not gone away.

I will open a ticket.

Thanks,

HI,

If you have a test machine I would suggest as a test removing detours (http://www.sophos.com/support/knowledgebase/article/112099.html).

To do so, open the keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

and

HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

if running on a 64 bit test machine and remove the entry to load the Sophos detours dll.  Please back up the keys before doing so or copy of the paths to the Sophos DLLs in both places so they can be added back later.

You would then need to reboot to ensure all processes are no longer hosting detours.

Once booted back up try prinitng, if it works it puts us in the right area.  I would suggest turning on-access back on.

If removing detours doesn't help I would suggest:

1. Download Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645) and start capturing

2. Emulate the problem.

3. Stop capturing.

4. Open the Tools menu in Process Monitor and look at the file summary.  This might show which files are being constantly opened etc.. during the process.  Maybe excluding something in there could be an option.

Regards,

Jak

Hi Jak,

I tested it on two different computers. The printing processes was faster. It didn't stuck on savservice.exe.

Is there a chance to get another error because of the removing sophos dll's?

Do I need to test another task related to this?

Regards,

Hi,

I think if you've now narrowed it down to detoured specifically you might be best calling Support with this information.

Disabing detiured will disable the functionality of SAV as mentioned in the article I linked, hopefully they will have a plan for you.

Regards,

Jak

I excluded C:\Windows\System32\spool

before infecting the spool directory malware should be read, read scan should prevent this situation

Hello Davide,

before infecting the spool directory malware should be read

not necessarily - as malware often doesn't come as a single executable an as yet unknown component might download directly to any location.

Christian

the problem of slowness of the print job is a problem that often occurs, as suggest then to resolve?

That's right QC.

0-day malware is the problem. 30 to 40 new malware variants get added to SAV every day. If you exclude the Spool folder you risk the system to be infected. Like I said it's a prefered location for a couple of (well spread) malware variants out there. I've seen it multiple times. It's not rare. Malware authors update their creation constantly which at the same time means (depending on the amount of code changes) it can be 0-day already tommorow and depending on your settings (HIPS enabled?) it will not be detected if you exclude Spool.