Hi there,
We found out that deactivating on-access scans has a massive impact on the speed of our network printers. Is there a way to disable on-access scans for printing processes?
best regards
Silvio
Hello Silvio,
deactivating on-access scans has a massive impact on the speed of our network printers
put the other way round: On-Access scanning has apparently a massive impact on network printing. Network printing is not some rarely used function and if there were a general issue it'd be known. Network printers means the clients communicate using some network protocol directly with the printers, not to printers on some print server? What is a massive impact - do you have some scenarios or numbers?
Without knowing the actual cause it might or might not be possible to resolve this issue by disabl[ing] on-access scans for printing processes - normally spoolsv.exe is involved in printing. You could try a process exclusion - but as said, such an exclusions shouldn't be necessary and even if it seems to solve the problem you should try to find the actual cause.
Christian
Hello Christian,
thanks for your answer.
I'll try to describe the whole thing:
After 5 years of running, we renewed our server system last week with a Windows Server 2012 R2 Hyper-V Host, which is hosting 6 virtual machines. All of them are secured with sophos endpoint protection including the standard rules for Firewall and everything else.
One of these virtual servers is our printserver (WinServer2012R2) and another one is our RDP-Server (WinServer2008R2).
We installed all of our printers on the printserver and connected the ones each user needs (using "\\printserver_ip\printer" -> double click)
Now the problem is, that everybody in the office said, that printing is even slower with the new server as it was with the old ones.
So we did some research and deactivated the "On-Access Scan" function to see, if the documents get printed out faster.
And it worked.
To give you some numbers: printing out an eMail (no pictures, just a little logo and html text) from outlook 2010 lasts about 15 seconds with "On-Access Scan" activated. Without "O-A S" it lasts about 4 seconds.
I'm not a professional in configuring sophos endpoint protection. Maybe I should change some settings to improve this behavior, but I don't really know, where to start. I tried changing the settings of the firewall rule (unblock file and printer sharing) but that doesn't work.
Maybe you have another idea?
Hello Silvio,
you disabled on-access scan where? I'm not sure I understand your whole thing correctly - as you mention RDP-Server: Users are printing from Terminal sessions or from their workstations?
Trying to find a simple cause or at least a simple troubleshooting procedure. If it worked before then something must have changed. And it's just (network) printing that seems to be affected? I don't see why OA should suddenly have such an impact, with the default settings Web Download scanning is also turned off (but why should this come into play here and if it does it won't explain 10 seconds).
Christian
Hello Silvio,
you disabled on-access scan where? I'm not sure I understand your whole thing correctly - as you mention RDP-Server: Users are printing from Terminal sessions or from their workstations?
Trying to find a simple cause or at least a simple troubleshooting procedure. If it worked before then something must have changed. And it's just (network) printing that seems to be affected? I don't see why OA should suddenly have such an impact, with the default settings Web Download scanning is also turned off (but why should this come into play here and if it does it won't explain 10 seconds).
Christian
I disabled on-access scan in the sophos enterprise console (also installed on the printserver).
Some users do both: printing from terminal server session and from workstations. The workstations are not secured with endpoint protection yet and printing is way faster.
It worked before, but we didn't use Sophos endpoint protection until now.
And yes, it seems like just network printing is affected.
Hello Silvio,
so you're new to Sophos, aren't you? Let me touch on a few things.
disabled [...] in the [...] console
actually you disable (or change the settings) in a Policy (the AV policy in this case), a policy is assigned to zero or more groups (note that policies are individually assigned - a policy inherits its parent's settings when created but a subsequent change of the parent's assignment does not apply to its children), and implicitly to the computers contained in these groups.
workstations are not secured with endpoint protection yet and printing is way faster
this would exonerate the print server. I'd create a (sub-)group and an associated AV policy with on-access off. By moving a computer into or out of this group you can easily disable or enable on-access scanning and assess its effect on the servers involved - from your description it doesn't seem to be the print server.
Christian
Hello Christian,
I tried changing the on-access scan configuration (AV-policy) for servers to "write" (uncheck read and change) and printing is a lot faster than before.
But I don't know if this is a good idea?!?!
I'll give your suggestion of a new group with o-a scan turned off a try tomorrow. I'll keep you updated about the results, if you want me to.
Hello Christian,
I'm sorry for being late with my answer.
We installed a UTM 9 last week so I didn't have time for further investigations. After the installation process of the UTM 9, we faced the problem again.
So I talked to the sophos support team and they told me, to exclude the spool-directory of the print-server within the on-access scans (Windows-Exclusions).
I did that and it works fine. I know it's not the best way, but since the UTM is filtering all incoming data, I think I will keep this configuration for now.
Thanks for your help.
best regards
Silvio
