Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 30954 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Security and Visual Studio

Aarongu

Hi, 

We run Sophos Endpoint Secuirty on our desktop machines and a few of those machines have Visual Studio on them. When we was in the process of setting Sophos up, we imported a list of file types (extensions relating to Visual Studio) that we wanted to excluce from being scanned and they have been specified in both the 'on-access scanning' and Windows exclusions areas of the Enterprise Console. 

However, my collaegues are reporting that when compiling a program in Visual Studio, it is taking a considerable time for the project to compile and they have noted that the CPU % utililisation is higher than before Sophos was placed on to the machine. 

Do you have any specific recommendations to make regarding what changes can be made to stop Sophos causing the issues stated above?

:45447


This thread was automatically locked due to age.
Parents
  • 0

    Hello Aaron,

    in both the Extensions and Windows Exclusions

    I see - forgot the excluded extensions (you get the same result with a Windows wildcard *.ext exclusion but the excluded extension is not as obvious - and note that the exclusions also apply to DLP). I suggest you also look at the On-Access Extensions tab in the client GUI (when no exclusions are set in the SEC policy) - it shows the the extensions to be scanned and the ones you specified might not be on the list anyway (thus they only give the filter driver a little bit more to do).

    A few words on scanning - this is not some kind of fixed overhead when a file is accessed. I've mentioned that a file is not rescanned. Dunno the exact order but when a file is intercepted its attributes (and potential exclusions) first determine whether it is scanned at all. A "fingerprint" is taken so that a file already encountered is not scanned more than once. The true filetype is determined (the START command will attempt to start a program regardless of its name or extension - give it a try), a cursory scan is done (e.g. to verify the integrity of a signed file) and if necessary a deeper scan is performed.

    If the results are (almost) the same with or without the exclusions then the cycles are apparently spent dealing with something else.

    yes we have tested disabling 'on-access' scanning but that didn't have an impact on the increase in CPU

    I'm not sure I understand you correctly - there is a significant increase in CPU (compared to Sophos not installed) even with On-Access completely off? Do you have HIPS (behavior monitoring) turned on?

    Christian

    :45469
Reply
  • 0

    Hello Aaron,

    in both the Extensions and Windows Exclusions

    I see - forgot the excluded extensions (you get the same result with a Windows wildcard *.ext exclusion but the excluded extension is not as obvious - and note that the exclusions also apply to DLP). I suggest you also look at the On-Access Extensions tab in the client GUI (when no exclusions are set in the SEC policy) - it shows the the extensions to be scanned and the ones you specified might not be on the list anyway (thus they only give the filter driver a little bit more to do).

    A few words on scanning - this is not some kind of fixed overhead when a file is accessed. I've mentioned that a file is not rescanned. Dunno the exact order but when a file is intercepted its attributes (and potential exclusions) first determine whether it is scanned at all. A "fingerprint" is taken so that a file already encountered is not scanned more than once. The true filetype is determined (the START command will attempt to start a program regardless of its name or extension - give it a try), a cursory scan is done (e.g. to verify the integrity of a signed file) and if necessary a deeper scan is performed.

    If the results are (almost) the same with or without the exclusions then the cycles are apparently spent dealing with something else.

    yes we have tested disabling 'on-access' scanning but that didn't have an impact on the increase in CPU

    I'm not sure I understand you correctly - there is a significant increase in CPU (compared to Sophos not installed) even with On-Access completely off? Do you have HIPS (behavior monitoring) turned on?

    Christian

    :45469
Children
No Data
Unfiltered HTML