Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 7799 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configuring AV protectection (Real Time scanning) for performance

Chris Yue

I am just configuring the Base Policy and am looking for some advice on configuring Real-time scanning.

 

I have set my Scan to local and ticked the option for on read but not on write for performance reasons.

 

In addition I have applied global exclusions for my Windows Server/Desktop environment.

 

Can anyone comment on this?



This thread was automatically locked due to age.
Parents
  • 0

    Hello Chris Yue,

    I'd conjecture the Default anti-virus scanning options for Sophos Central are also the recommended ones at least for desktops thus I'd leave the Base Policy as it is unless I have a very good reason to change it.

    for performance reasons
    did you actually assess the performance impact of scan-on-write or is it just a guess?

    local [only]
    indeed files on shares would be scanned twice - by the server and also by the endpoint (though a file identified as "known" files is not rescanned). A file written to a share by an endpoint and then read by another is still scanned on read by the server - but only if it's not excluded, so this setting is a little bit risky.

    global exclusions
    desktop endpoints don't need exclusions

    Just my two cents - but you've asked

    Christian

     

  • 0 in reply to QC

    Hi Christian,

    Thanks for coming back to me.

    for performance reasons

    I already had some users from the Development Team comment how slow it takes to save any changes within their Visual Studio window (hence the deselection of Scan on Write).

    local [only]

    Yes, typically the likes of our file servers have the Local scan set so disabling the client in my eyes should be safe.

    global exclusions

    Since posting I have applied some recommend exclusions from the Microsoft Website (pagefile.sys, NTUser.pol,Registry.pol etc)

  • 0 in reply to Chris Yue

    Hello Chris Yue,

    Development is a special case (or was it developers? [;)]) - seriously, there are cases where you naturally encounter performance impacts.
    Scan-on-write and later it being enabled as default and recommended setting wasn't introduced for an insignificant gain in protection. Thus it shouldn't be globally disabled.
    As to remote files and servers - as long as it's guaranteed that a file is scanned (and that the configuration is in one hand) it's ok. In real life though communication and coordination isn't always optimal, so one side disables something or sets an exclusion relying on the other side - and the other side does the same. it has happened.

    recommend exclusions
    there you have it: First I advise to follow the recommendations and then I speak against them. If it ain't broken don't fix it! ... dialectics ... AV-scanning is not something nice-to-have, it's been aro.und for quite some time and systems and software should be able to live with it. Not once I've seen a vendor's recommendation together with a concrete example and an analysis what exactly happens, why it happens, and why the vendor's software can't "tolerate" the AV. Microsoft is generally more or less vague, ranging from for troubleshooting only to otherwise hell breaks loose, changing over time from one end to the other and back, and quite varied for different products. I leave it to your discretion.

    Christian

Reply
  • 0 in reply to Chris Yue

    Hello Chris Yue,

    Development is a special case (or was it developers? [;)]) - seriously, there are cases where you naturally encounter performance impacts.
    Scan-on-write and later it being enabled as default and recommended setting wasn't introduced for an insignificant gain in protection. Thus it shouldn't be globally disabled.
    As to remote files and servers - as long as it's guaranteed that a file is scanned (and that the configuration is in one hand) it's ok. In real life though communication and coordination isn't always optimal, so one side disables something or sets an exclusion relying on the other side - and the other side does the same. it has happened.

    recommend exclusions
    there you have it: First I advise to follow the recommendations and then I speak against them. If it ain't broken don't fix it! ... dialectics ... AV-scanning is not something nice-to-have, it's been aro.und for quite some time and systems and software should be able to live with it. Not once I've seen a vendor's recommendation together with a concrete example and an analysis what exactly happens, why it happens, and why the vendor's software can't "tolerate" the AV. Microsoft is generally more or less vague, ranging from for troubleshooting only to otherwise hell breaks loose, changing over time from one end to the other and back, and quite varied for different products. I leave it to your discretion.

    Christian

Children
No Data
Unfiltered HTML