Hi,
We incountered a problem of sophos server when I see the task Manager SavService.exe 100% CPU usage it caused to hang up the server. Please help our problem.
tedz
This thread was automatically locked due to age.
Hi,
Can you rule out a scheduled scan taking place during these times? The SAV main interface (SAVMain.exe) will show any on-demand scans taking place in the bottom left (as long as you have rights to see them).
Also I assume the scanning options (on-access) haven't been changed from the defaults or at least the defaults have been restored to see if it helps. Scanning inside archive files on-access or scan all files for example.
It is possible to turn on logging in the SAV driver to log what it's looking at. To do so, add a DWORD value called LogFlags under the driver key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVOnAccess \
For Vista, Win 7, 2008 and 2008R2.
For XP/2003 it is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ SAVOnAccessControl\
Setting it to 15 (decimal) will do. For full logging you can set it to hex FFFFFFFF but that is more than we need and will just slow things down further.
Once created, restart the SAVService, the standard logfile SAV.txt will then have the details. The log will grow quite quick so remember to remove the DWORD value and restart the service. The sav.txt log file is in the following locations depending on OS:
C:\ProgramData\Sophos\Sophos Anti-Virus\logs \ (Vista+)
C:\documents and settings\all users\application data\Sophos\Sophos Anti-Virus\logs \ (XP/2003)
I've just knocked together a quck script (it is for Windows Vista, Win7, 2008 only based on the paths and registry keys, although you could change the paths: registry and logs directory to those mentioned above) to automate this and collate a results file with all files accessed more than once ordered by the number of entries in the log. Maybe that would be worth a try. VBScript is at the bottom of the post. Save as something.vbs and run it. Maybe you could upload the results file/contents here.
The problem is, adding the key requires the restart of the service. This will of course reset the cache of what has already been scanned so the service will be doing more again than normal at startup. Having said that it may still be useful. The other apprach would be to use ProcessMonitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx ) to see what SAVService.exe is doing. Maybe some exclusions could be added or problem files identified.
Regards,
Jak
'Constants const HKEY_LOCAL_MACHINE = &H80000002 Const ForReading = 1 Const ForWriting = 2 'Variables strPathToLogs = "C:\ProgramData\Sophos\Sophos Anti-Virus\logs\" strSAVFileName = "SAV.txt" strSAVFileDebug = "SAVDebug.txt" strSAVOrig = "SAVOrig.txt" strResultFile = "SAVResults.txt" strServiceName = "SAVService" intTimeToStopServiceInSecs = 10 intTimeToStartServiceInSecs = 10 strKeyPath = "SYSTEM\CurrentControlSet\Services\SAVOnaccess" strValueName = "LogFlags" IntDebugValue = 15 intSAVServiceSettleTimeMins = 1 intTestTimeMins = 3 strFilter = "on-access driver log information: check local file " blnCScriptEcho = false intLimitResultToFilesAcc = 1 Wscript.echo "Once complete, this script will create a file called: " & strResultFile & " in the same directory. Please wait for a completed message." 'Create Objects Set objFSO = CreateObject("Scripting.FileSystemObject") Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") 'Stop Service Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='" & strServiceName & "'") For Each objService in colListOfServices if blnCScriptEcho then Wscript.echo "Stopping SAVService..." end if objService.StopService() Next 'Wait for the service to stop wscript.sleep intTimeToStopServiceInSecs * 1000 'Delete any pre-existing debug sav.txt from previous runs if objFSO.FileExists (strPathToLogs & "\" & strSAVFileDebug) then if blnCScriptEcho then wscript.echo "Deleting any pre-existing " & strSAVFileDebug & "." end if objFSO.deleteFile strPathToLogs & "\" & strSAVFileDebug, True end if 'Delete any pre-existing results files from previous runs if objFSO.FileExists (strResultFile) then if blnCScriptEcho then wscript.echo "Deleting any pre-existing " & strResultFile & "." end if objFSO.deleteFile strResultFile, True end if 'Delete any pre-existing orig files from previous runs if objFSO.FileExists (strPathToLogs & "\" & strSAVOrig) then if blnCScriptEcho then wscript.echo "Deleting any pre-existing " & strSAVOrig & "." end if objFSO.deleteFile strPathToLogs & "\" & strSAVOrig, True end if 'Backup Existing SAV.txt so we can restore it later if objFSO.FileExists (strSAVFileName) then if blnCScriptEcho then wscript.echo "Backing up existing " & strSAVFileName & " to restore later." end if objFSO.MoveFile strPathToLogs & "\" & strSAVFileName, strPathToLogs & "\" &strSAVOrig end if 'Create LogFlags Key dim objReg : Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv") if blnCScriptEcho then wscript.echo "Creating registry key: " & strKeyPath & "\" & strValueName & " Value:" & IntDebugValue & "." end if objReg.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, IntDebugValue 'Start Service For Each objService in colListOfServices if blnCScriptEcho then Wscript.echo "Starting SAVService..." end if objService.StartService() Next Wscript.sleep intTimeToStartServiceInSecs if blnCScriptEcho then Wscript.echo "Waiting " & intSAVServiceSettleTimeMins & " minutes to settle." end if Wscript.sleep intSAVServiceSettleTimeMins * 60000 Wscript.echo "Please use the computer as you would for the next " & intTestTimeMins & " minutes in order to reproduce the high CPU usage." Wscript.sleep intTestTimeMins * 60000 if blnCScriptEcho then Wscript.echo "Time is up." end if For Each objService in colListOfServices if blnCScriptEcho then Wscript.echo "Stopping SAVService..." end if objService.StopService() Next if blnCScriptEcho then Wscript.echo "Analyzing results..." end if 'Wait for the service to stop wscript.sleep intTimeToStopServiceInSecs * 1000 'Create a Dictionary to hold the lines (key) und their frequencies Set objDictionaryLines = CreateObject("Scripting.Dictionary") 'Open the file for reading Set objFile = objFSO.OpenTextFile(strPathToLogs & "\" & strSAVFileName, ForReading, false, -1) 'Loop until end of stream Do Until objFile.AtEndOfStream 'Read each line strLineIn = lcase(objFile.ReadLine) intL = instr(strLineIn, strFilter) if intL > 0 then strFilteredLine = mid(strLineIn, (intL+len(strFilter))) end if 'If line is not already in dictionary, add Item and set key value to 1. If line is already in dictionary, increment key value If Not objDictionaryLines.Exists(strFilteredLine) Then objDictionaryLines.Add strFilteredLine , 1 Else objDictionaryLines( strFilteredLine ) = objDictionaryLines( strFilteredLine ) + 1 End If Loop objFile.Close Set objDictSorted = SortDictionary(objDictionaryLines) Set objFileOut = objFSO.OpenTextFile(strResultFile, ForWriting, True, -1) For Each i In objDictSorted if len(i)> 0 then if objDictSorted.Item(i) > intLimitResultToFilesAcc then objFileOut.writeline "[" & objDictSorted.Item(i) & "] " & i end if end if Next objFileOut.close 'delete logflags key objReg.DeleteValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName 'move new sav.txt to savdebug.txt if objFSO.FileExists (strPathToLogs & "\" & strSAVFileName) then objFSO.MoveFile strPathToLogs & "\" & strSAVFileName , strPathToLogs & "\" & strSAVFileDebug end if 'move original back to SAV.txt if objFSO.FileExists (strPathToLogs & "\" & strSAVOrig) then objFSO.MoveFile strPathToLogs & "\" & strSAVOrig, strPathToLogs & "\" & strSAVFileName end if 'Start Service For Each objService in colListOfServices objService.StartService() Next Wscript.echo "Completed analysis. The file " & strResultFile & " is in the same directory as the script." 'Functions ---------------------------------------------- Function SortDictionary(ByVal objDict) Dim i, j, temp For Each i In objDict For Each j In objDict If(objDict.Item(i) <= objDict.Item(j)) Then temp = objDict.Item(i) objDict.Item(i) = objDict.Item(j) objDict.Item(j) = temp End If Next Next Set SortDictionary = objDict End Function '---------------------------------------------------------
Hi,
Can you rule out a scheduled scan taking place during these times? The SAV main interface (SAVMain.exe) will show any on-demand scans taking place in the bottom left (as long as you have rights to see them).
Also I assume the scanning options (on-access) haven't been changed from the defaults or at least the defaults have been restored to see if it helps. Scanning inside archive files on-access or scan all files for example.
It is possible to turn on logging in the SAV driver to log what it's looking at. To do so, add a DWORD value called LogFlags under the driver key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVOnAccess \
For Vista, Win 7, 2008 and 2008R2.
For XP/2003 it is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ SAVOnAccessControl\
Setting it to 15 (decimal) will do. For full logging you can set it to hex FFFFFFFF but that is more than we need and will just slow things down further.
Once created, restart the SAVService, the standard logfile SAV.txt will then have the details. The log will grow quite quick so remember to remove the DWORD value and restart the service. The sav.txt log file is in the following locations depending on OS:
C:\ProgramData\Sophos\Sophos Anti-Virus\logs \ (Vista+)
C:\documents and settings\all users\application data\Sophos\Sophos Anti-Virus\logs \ (XP/2003)
I've just knocked together a quck script (it is for Windows Vista, Win7, 2008 only based on the paths and registry keys, although you could change the paths: registry and logs directory to those mentioned above) to automate this and collate a results file with all files accessed more than once ordered by the number of entries in the log. Maybe that would be worth a try. VBScript is at the bottom of the post. Save as something.vbs and run it. Maybe you could upload the results file/contents here.
The problem is, adding the key requires the restart of the service. This will of course reset the cache of what has already been scanned so the service will be doing more again than normal at startup. Having said that it may still be useful. The other apprach would be to use ProcessMonitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx ) to see what SAVService.exe is doing. Maybe some exclusions could be added or problem files identified.
Regards,
Jak
'Constants const HKEY_LOCAL_MACHINE = &H80000002 Const ForReading = 1 Const ForWriting = 2 'Variables strPathToLogs = "C:\ProgramData\Sophos\Sophos Anti-Virus\logs\" strSAVFileName = "SAV.txt" strSAVFileDebug = "SAVDebug.txt" strSAVOrig = "SAVOrig.txt" strResultFile = "SAVResults.txt" strServiceName = "SAVService" intTimeToStopServiceInSecs = 10 intTimeToStartServiceInSecs = 10 strKeyPath = "SYSTEM\CurrentControlSet\Services\SAVOnaccess" strValueName = "LogFlags" IntDebugValue = 15 intSAVServiceSettleTimeMins = 1 intTestTimeMins = 3 strFilter = "on-access driver log information: check local file " blnCScriptEcho = false intLimitResultToFilesAcc = 1 Wscript.echo "Once complete, this script will create a file called: " & strResultFile & " in the same directory. Please wait for a completed message." 'Create Objects Set objFSO = CreateObject("Scripting.FileSystemObject") Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") 'Stop Service Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='" & strServiceName & "'") For Each objService in colListOfServices if blnCScriptEcho then Wscript.echo "Stopping SAVService..." end if objService.StopService() Next 'Wait for the service to stop wscript.sleep intTimeToStopServiceInSecs * 1000 'Delete any pre-existing debug sav.txt from previous runs if objFSO.FileExists (strPathToLogs & "\" & strSAVFileDebug) then if blnCScriptEcho then wscript.echo "Deleting any pre-existing " & strSAVFileDebug & "." end if objFSO.deleteFile strPathToLogs & "\" & strSAVFileDebug, True end if 'Delete any pre-existing results files from previous runs if objFSO.FileExists (strResultFile) then if blnCScriptEcho then wscript.echo "Deleting any pre-existing " & strResultFile & "." end if objFSO.deleteFile strResultFile, True end if 'Delete any pre-existing orig files from previous runs if objFSO.FileExists (strPathToLogs & "\" & strSAVOrig) then if blnCScriptEcho then wscript.echo "Deleting any pre-existing " & strSAVOrig & "." end if objFSO.deleteFile strPathToLogs & "\" & strSAVOrig, True end if 'Backup Existing SAV.txt so we can restore it later if objFSO.FileExists (strSAVFileName) then if blnCScriptEcho then wscript.echo "Backing up existing " & strSAVFileName & " to restore later." end if objFSO.MoveFile strPathToLogs & "\" & strSAVFileName, strPathToLogs & "\" &strSAVOrig end if 'Create LogFlags Key dim objReg : Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv") if blnCScriptEcho then wscript.echo "Creating registry key: " & strKeyPath & "\" & strValueName & " Value:" & IntDebugValue & "." end if objReg.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, IntDebugValue 'Start Service For Each objService in colListOfServices if blnCScriptEcho then Wscript.echo "Starting SAVService..." end if objService.StartService() Next Wscript.sleep intTimeToStartServiceInSecs if blnCScriptEcho then Wscript.echo "Waiting " & intSAVServiceSettleTimeMins & " minutes to settle." end if Wscript.sleep intSAVServiceSettleTimeMins * 60000 Wscript.echo "Please use the computer as you would for the next " & intTestTimeMins & " minutes in order to reproduce the high CPU usage." Wscript.sleep intTestTimeMins * 60000 if blnCScriptEcho then Wscript.echo "Time is up." end if For Each objService in colListOfServices if blnCScriptEcho then Wscript.echo "Stopping SAVService..." end if objService.StopService() Next if blnCScriptEcho then Wscript.echo "Analyzing results..." end if 'Wait for the service to stop wscript.sleep intTimeToStopServiceInSecs * 1000 'Create a Dictionary to hold the lines (key) und their frequencies Set objDictionaryLines = CreateObject("Scripting.Dictionary") 'Open the file for reading Set objFile = objFSO.OpenTextFile(strPathToLogs & "\" & strSAVFileName, ForReading, false, -1) 'Loop until end of stream Do Until objFile.AtEndOfStream 'Read each line strLineIn = lcase(objFile.ReadLine) intL = instr(strLineIn, strFilter) if intL > 0 then strFilteredLine = mid(strLineIn, (intL+len(strFilter))) end if 'If line is not already in dictionary, add Item and set key value to 1. If line is already in dictionary, increment key value If Not objDictionaryLines.Exists(strFilteredLine) Then objDictionaryLines.Add strFilteredLine , 1 Else objDictionaryLines( strFilteredLine ) = objDictionaryLines( strFilteredLine ) + 1 End If Loop objFile.Close Set objDictSorted = SortDictionary(objDictionaryLines) Set objFileOut = objFSO.OpenTextFile(strResultFile, ForWriting, True, -1) For Each i In objDictSorted if len(i)> 0 then if objDictSorted.Item(i) > intLimitResultToFilesAcc then objFileOut.writeline "[" & objDictSorted.Item(i) & "] " & i end if end if Next objFileOut.close 'delete logflags key objReg.DeleteValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName 'move new sav.txt to savdebug.txt if objFSO.FileExists (strPathToLogs & "\" & strSAVFileName) then objFSO.MoveFile strPathToLogs & "\" & strSAVFileName , strPathToLogs & "\" & strSAVFileDebug end if 'move original back to SAV.txt if objFSO.FileExists (strPathToLogs & "\" & strSAVOrig) then objFSO.MoveFile strPathToLogs & "\" & strSAVOrig, strPathToLogs & "\" & strSAVFileName end if 'Start Service For Each objService in colListOfServices objService.StartService() Next Wscript.echo "Completed analysis. The file " & strResultFile & " is in the same directory as the script." 'Functions ---------------------------------------------- Function SortDictionary(ByVal objDict) Dim i, j, temp For Each i In objDict For Each j In objDict If(objDict.Item(i) <= objDict.Item(j)) Then temp = objDict.Item(i) objDict.Item(i) = objDict.Item(j) objDict.Item(j) = temp End If Next Next Set SortDictionary = objDict End Function '---------------------------------------------------------