This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow Remote copy of newly compiled files

Hello,

I am finding that Sophos is slowing down the copy of newly compiled files to a remote shared directory. This affects the way I deployed internally developed applications - either by using Visual Studio ClickOnce publish or by simply using xcopy to copy the executables and dlls.  The slow down is something like a 60 times slowdown - so the copy is 10s without Sophos and 10 minutes with Sophos - more frustrating than a major issue.

Has anybody else had similar problems or ideas how to solve this?

Many Thanks,

Adrian



This thread was automatically locked due to age.
  • Just as a check, if you disable the scanning of remote files does it help?

    Regards,

    Jak

  • Bit of a thread necro I realise but this perfectly describes a problem my clients devs are experiencing with project rebuilds that involve a file copy via Powershell / Windows Explorer to a remote server.

    Preposterously slow with scanning of remote files enabled, acceptable without it.

    Bit concerned that as with the other Sophos issue my clients have experienced in the few weeks they've had the product the result is disabling another bit of the protection.

    They're not going to have a great deal left at this rate.

  • FWIW it seems like a problem scanning previously unseen files (DLLs in particular I'd imagine) which is obviously something devs tend to create proportionally more of.

    You can mitigate the problem by scanning the files before copying - this works out considerably faster overall but for some reason a user initiated file scan seems to require elevated privileges.

     

     

  • Just want to say this is still a major problem.  Before we started using Sophos (were on Avast) publishing the main application I use from my machine to the web server where it installs from took 20 - 30 seconds.  Now with Sophos it takes 2 - 3 minutes.  Now that by itself isn't that bad.  The problem is when I publish while VPN'd in it can take 30 - 45 minutes which is completely unacceptable.  Not sure what can be done about this but it fairly annoying as I work from home a couple times a month and I dread having to push application changes when that happens.

     

    Side note- I am VPN'd in using a RED device connected to a Sophos XG firewall so its Sophos everywhere.

  • Hi Allan,

     

    Can you please share the endpoint is managed by Sophos central dashboard or via Enterprise console?

    SAJ
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • Have you narrowed it down to a component of the endpoint software?

    Do you have HMPA, SED and SAV installed on these computers?  One simple way to see is to run in a admin cmd prompt: fltmc.exe.  If you see:

    Sophos Endpoint Defense
    hmpalert
    SAVOnAccess

    Then:
    "Sophos Endpoint Defense" is sophosed.sys and part of Sophos Endpoint Defense.
    "hmpalert" is hmpalert.sys is part of HMPA
    "SAVOnAccess" is SAVOnAccess.sys is part of SAV
    All these file system filter drivers are in \windows\system32\drivers\.

    I would first test ruling out HMPA, this driver injects the hmaplert.dll into process at startup and it also performs the cryptoguard.

    So disable Tamper Protection on the computer, rename \windows\system32\drivers\hmaplert.sys to \windows\system32\drivers\hmpalert.sys.off and reboot.

    This will rule out HMPA completely, do you still have the issue.  If no. Add it back and reboot, see the issue again, then disable Cryptoguard in policy as it could be this feature.

    Having ruled out HMPA, the next test is to rule out SAV.  To do so, you can't unload the SAVonacess driver without stopping the SAVService.  Therefore:
    sc stop savservice
    fltmc unload savonaccess

    This will stop the main SAVService and the second command will unload the savonaccess driver.

    Do you see the issue then?
    If no, then I would consider re-enabling it again, and maybe then disable on-acess|relatime scanning in policy.  Does the issue occur then?  Does disablingremote file scanning help?

    If after disabling SAV and HMPA, you still have the issue then it could be sophosed.sys.  This can also be disabled but I can detail that more if you get this far.

    Regards,
    Jak