Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 6538 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SESC9 appears to have a memory leak

VCU

Has anyone else seen this?

I've been testing SESC9 for a few months and found the following:

  1. Savservice.exe starts with about 94MB of memory after install.
  2. Our managed nodes are setup to fail over to Sophos for updates if they can not reach our sites. When this occurs the Sophos site installs 1 of 1 and savservice.exe increases in memory use.
  3. This same thing occurs when our node comes back to update from our site install 1 of 1 and savservice.exe increases in memory use.
  4. If checked nodes in our testing and saw savservice.exe running 200MB, 300MB and 1.2BM of memory.
  5. I tested this on my computer and watched savservice.exe go from 94MB to 140MB before stopping my test.

I look forward to seeing what you have experienced.

:2242


This thread was automatically locked due to age.
Parents
  • 0

    I did inititate a support ticket and got this response:

    "To start with - please run through this list of things to check in addition:

    Firstly, and it sounds as if you have done this bit already - confirm on-access details are set to default, as per

    http://www.sophos.com/support/knowledgebase/article/14245.html

    Secondly, as HIPS policy settings, and those for Application Control, are not included in KBA 14245''s list of recommendations, these may need to be checked when isolating scanning issues:

    1) HIPS runtime behavior analysis (default) settings:

    Detect suspicious behavior
    Detect buffer overflow
    Alert only
    If ''alert only'' is selected, HIPS scanning will still take place. Alerts are sent to the Enterprise Console, as well as appearing locally in the Quarantine Manager.


    2) Application Control settings:

    Right-click ''Application Control'' policy in Enterprise Console | View/Edit policy ...
    Untick ''Scanning | Enable on-access scanning''

    Note that scanning for Application Control can still occur when regular on-access scanning is disabled, because the option above is not dependent on that setting.


    3) Additionally, please check if Web Content Scanning is enabled. For details on how to do that, please see:

    Article ID:36265
    Title:Sophos Anti-Virus for Windows 2000+: how to locally enable or disable the Sophos web content scanner
    URL: http://www.sophos.com/support/knowledgebase/article/36265.html

    If you wish to completely disable the BHO loader, however, for further testing, please use the method given in this article:

    Article ID:59284
    Title:Sophos Anti-Virus for Windows 2000+: Internet Explorer v.8 fails to open or displays error
    URL: http://www.sophos.com/support/knowledgebase/article/59284.html


    I would suggest you go through the above details one at a time, to see if you can isolate the component which is responsible for the change since this update.
    I am suspecting it is the BHO scanner - Web Content scanning - because some other customer have been reporting similar issues recently, although it ultimately often is coincident with an update to IE8.

    Let me know what you find."

    Again, in my case, disabling On-write from our On-Access Scanning settings seems to have done the trick.

    :2301
Reply
  • 0

    I did inititate a support ticket and got this response:

    "To start with - please run through this list of things to check in addition:

    Firstly, and it sounds as if you have done this bit already - confirm on-access details are set to default, as per

    http://www.sophos.com/support/knowledgebase/article/14245.html

    Secondly, as HIPS policy settings, and those for Application Control, are not included in KBA 14245''s list of recommendations, these may need to be checked when isolating scanning issues:

    1) HIPS runtime behavior analysis (default) settings:

    Detect suspicious behavior
    Detect buffer overflow
    Alert only
    If ''alert only'' is selected, HIPS scanning will still take place. Alerts are sent to the Enterprise Console, as well as appearing locally in the Quarantine Manager.


    2) Application Control settings:

    Right-click ''Application Control'' policy in Enterprise Console | View/Edit policy ...
    Untick ''Scanning | Enable on-access scanning''

    Note that scanning for Application Control can still occur when regular on-access scanning is disabled, because the option above is not dependent on that setting.


    3) Additionally, please check if Web Content Scanning is enabled. For details on how to do that, please see:

    Article ID:36265
    Title:Sophos Anti-Virus for Windows 2000+: how to locally enable or disable the Sophos web content scanner
    URL: http://www.sophos.com/support/knowledgebase/article/36265.html

    If you wish to completely disable the BHO loader, however, for further testing, please use the method given in this article:

    Article ID:59284
    Title:Sophos Anti-Virus for Windows 2000+: Internet Explorer v.8 fails to open or displays error
    URL: http://www.sophos.com/support/knowledgebase/article/59284.html


    I would suggest you go through the above details one at a time, to see if you can isolate the component which is responsible for the change since this update.
    I am suspecting it is the BHO scanner - Web Content scanning - because some other customer have been reporting similar issues recently, although it ultimately often is coincident with an update to IE8.

    Let me know what you find."

    Again, in my case, disabling On-write from our On-Access Scanning settings seems to have done the trick.

    :2301
Children
No Data
Unfiltered HTML