Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 5533 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

sav32cli.exe consuming 100% CPU resources on the Server.

Kostya Khomko

Hello,

Our server is overloaded because of sav32cli.exe service which is using to much resources. Is there any way to decrease the load to the server because no one can work on it when this service is up and running there?

Current configuration: Windows Server 2012 R2 Standard (AWS 4 cores * 2GHZ and 16 GB of RAM).

SophosAntivirus Product Version: 10.6

 

Even server restart does not help.

 

Issue can be fixed only if to move somewhere this file sav32cli.exe (but it is not a good solution, as for me).

We need command line scanner working but not overloading our server.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Kostya Khomko,

    We need command line scanner
    excuse me - what for do you use sav32cli.exe and how do you call/start it? It's not part of normal operation and must be deliberately be started - so if even server restart does not help you should find the someone who configured the server to start it.

    Christian

  • 0 in reply to QC

    Hello,

    We use it for IIS i guess. It checks something after IIS doing some actions (doing some tests). But it was not tuned by me or someone else to check it for IIS. This happens by itself.

  • 0 in reply to Kostya Khomko

    Hello Kostya Khomko,

    I've heard of a few cases where sav32cli.exe is (was?) used for on-demand scans (e.g. of uploads). It has an enormous initialization overhead and is IMO not suitable for on-request scanning. It's like calling the reception in a large hotel to send someone to bring and immediately take away a waste basket every time you have something to dispose. Whatever has been implemented with IIS apparently got out of hand. But definitely it has been implemented by someone. To repeat - sav32cli.exe is not part of normal operation. Whoever has done this must have thought it's a clever idea to either avoid the overhead of on-access scanning or to work around the error-handling of IIS (or perhaps something I can't think of at the moment).

    Is there only one instance of sav32cli.exe or are there multiple?

    Christian

  • 0 in reply to QC

    As far as i know from our developer he is simulating tests which similar to 500 user sessions is IIS (starts from 300 and raise till 500 and back to 300).  Could we turn this check off (sav32cli.exe)  somehow if you say that is not needed? There are several instances of sav32cli.exe in server task manager and its quantity varies all the time (from 4 to 10). But anyway they consume 100% of CPU. Is there any way to change the priority for this service (from normal to low) if it can not be turned off in  normal way? I tried to do it in task manager but it had no effect. CPU consumption was the same (still 100%) even after finishing these tests sav32cli.exe still worked and used all the server cores resources even after 30 minutes after tests finishing. This is some kind of magic, as for me. I will be appreciated for any tips how it could be solved because i can not see that service running in services.msc on our server in order to stop it there.

  • 0 in reply to Kostya Khomko

    Hello Kostya Khomko,

    naturally I can't tell what your developer is up to. All I can say is that sav32cli.exe is intended for a single-instance scan of whatever part of the file system is of need. I estimate the overhead for scanning a single file in excess of 99% - no wonder it maxes out your server. And it's not a service but independent instances. sav32cli.exe initializes, loads the virus data(bases) for performance and then starts the actual scan - only to free all these resources after microseconds.

    There exists an interface for on-request scans, SAVDI - please have a look.

    Christian

Reply
  • 0 in reply to Kostya Khomko

    Hello Kostya Khomko,

    naturally I can't tell what your developer is up to. All I can say is that sav32cli.exe is intended for a single-instance scan of whatever part of the file system is of need. I estimate the overhead for scanning a single file in excess of 99% - no wonder it maxes out your server. And it's not a service but independent instances. sav32cli.exe initializes, loads the virus data(bases) for performance and then starts the actual scan - only to free all these resources after microseconds.

    There exists an interface for on-request scans, SAVDI - please have a look.

    Christian

Children
No Data
Unfiltered HTML