This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow Remote copy of newly compiled files

Hello,

I am finding that Sophos is slowing down the copy of newly compiled files to a remote shared directory. This affects the way I deployed internally developed applications - either by using Visual Studio ClickOnce publish or by simply using xcopy to copy the executables and dlls.  The slow down is something like a 60 times slowdown - so the copy is 10s without Sophos and 10 minutes with Sophos - more frustrating than a major issue.

Has anybody else had similar problems or ideas how to solve this?

Many Thanks,

Adrian



This thread was automatically locked due to age.
Parents
  • Just want to say this is still a major problem.  Before we started using Sophos (were on Avast) publishing the main application I use from my machine to the web server where it installs from took 20 - 30 seconds.  Now with Sophos it takes 2 - 3 minutes.  Now that by itself isn't that bad.  The problem is when I publish while VPN'd in it can take 30 - 45 minutes which is completely unacceptable.  Not sure what can be done about this but it fairly annoying as I work from home a couple times a month and I dread having to push application changes when that happens.

     

    Side note- I am VPN'd in using a RED device connected to a Sophos XG firewall so its Sophos everywhere.

  • Have you narrowed it down to a component of the endpoint software?

    Do you have HMPA, SED and SAV installed on these computers?  One simple way to see is to run in a admin cmd prompt: fltmc.exe.  If you see:

    Sophos Endpoint Defense
    hmpalert
    SAVOnAccess

    Then:
    "Sophos Endpoint Defense" is sophosed.sys and part of Sophos Endpoint Defense.
    "hmpalert" is hmpalert.sys is part of HMPA
    "SAVOnAccess" is SAVOnAccess.sys is part of SAV
    All these file system filter drivers are in \windows\system32\drivers\.

    I would first test ruling out HMPA, this driver injects the hmaplert.dll into process at startup and it also performs the cryptoguard.

    So disable Tamper Protection on the computer, rename \windows\system32\drivers\hmaplert.sys to \windows\system32\drivers\hmpalert.sys.off and reboot.

    This will rule out HMPA completely, do you still have the issue.  If no. Add it back and reboot, see the issue again, then disable Cryptoguard in policy as it could be this feature.

    Having ruled out HMPA, the next test is to rule out SAV.  To do so, you can't unload the SAVonacess driver without stopping the SAVService.  Therefore:
    sc stop savservice
    fltmc unload savonaccess

    This will stop the main SAVService and the second command will unload the savonaccess driver.

    Do you see the issue then?
    If no, then I would consider re-enabling it again, and maybe then disable on-acess|relatime scanning in policy.  Does the issue occur then?  Does disablingremote file scanning help?

    If after disabling SAV and HMPA, you still have the issue then it could be sophosed.sys.  This can also be disabled but I can detail that more if you get this far.

    Regards,
    Jak

Reply
  • Have you narrowed it down to a component of the endpoint software?

    Do you have HMPA, SED and SAV installed on these computers?  One simple way to see is to run in a admin cmd prompt: fltmc.exe.  If you see:

    Sophos Endpoint Defense
    hmpalert
    SAVOnAccess

    Then:
    "Sophos Endpoint Defense" is sophosed.sys and part of Sophos Endpoint Defense.
    "hmpalert" is hmpalert.sys is part of HMPA
    "SAVOnAccess" is SAVOnAccess.sys is part of SAV
    All these file system filter drivers are in \windows\system32\drivers\.

    I would first test ruling out HMPA, this driver injects the hmaplert.dll into process at startup and it also performs the cryptoguard.

    So disable Tamper Protection on the computer, rename \windows\system32\drivers\hmaplert.sys to \windows\system32\drivers\hmpalert.sys.off and reboot.

    This will rule out HMPA completely, do you still have the issue.  If no. Add it back and reboot, see the issue again, then disable Cryptoguard in policy as it could be this feature.

    Having ruled out HMPA, the next test is to rule out SAV.  To do so, you can't unload the SAVonacess driver without stopping the SAVService.  Therefore:
    sc stop savservice
    fltmc unload savonaccess

    This will stop the main SAVService and the second command will unload the savonaccess driver.

    Do you see the issue then?
    If no, then I would consider re-enabling it again, and maybe then disable on-acess|relatime scanning in policy.  Does the issue occur then?  Does disablingremote file scanning help?

    If after disabling SAV and HMPA, you still have the issue then it could be sophosed.sys.  This can also be disabled but I can detail that more if you get this far.

    Regards,
    Jak

Children
No Data