Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 5637 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does ALMon.exe Need to Run for Each RDP Session on a Terminal Server?

Factotum

Does ALMon.exe Need to Run for Each RDP Session on a Terminal Server?

An instance of ALMon.exe*32 runs for each RDP session on our Windows 2008 server.

If its sole purpose is to allow, "...Sophos Anti-Virus to display virus alerts to the user desktop." is it really needed for remote desktop users?

The process consumes between 800K and 1400M of RAM for each user session, which adds up pretty quick with 50 sessions going.

Can it safely be prevented from running for these user session, and if so, how?



This thread was automatically locked due to age.
Parents
  • +1

    Hi,

    You could stop almon.exe running to save some memory but your end users would loose desktop notifications.  It will not affect protection but your users might get an access denied message from Windows when opening a blocked file rather than a more informative and friendly desktop message from SAV.  If you're using web control, then any notifications for HTTPS sites that match categories would also be lost.

    If I recall, in the file imon.cfg (\programdata\sophos\config) there is a value for AllowMonitorToRun, you could try setting that to 0.  You could then try killing almon.exe for your session and then re-launch it to test if the process remains running.  

    There is also the "run" registry key (HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run), from which it is launched from, that could always be removed but it might get put back the next time AutoUpdate updates AutoUpdate to a newer version.  This doesn't happen that often so you could just remove it again.

    To be honest, I'm equally not sure if the imon.cfg file change will also be persisted on upgrade of SAU but these are the two options I suppose.

    I think that running almon.exe as the user logs in also triggers savproxy.exe to run.  This exe is only used to set the proxy details in the registry (HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\SophosProxy) for sample submission (again not protection related as such) from the savservice.  I'm not sure if you even have this option enabled so you probably wouldn't lose much there.  Plus it gets called at other times anyway and if it's already set and your proxy does't change if you have one, it's also no issue.

    Hope it helps.

    Regards,

    Jak

  • 0 in reply to jak

    That was a thorough answer! Excellent, thank you Jak.

    Now that I have a more in-depth understanding of the process, I think I know what I need to do now.

Reply Children
No Data
Unfiltered HTML