Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945

Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!

Outage on MySophos and Partner Portal. You may contact Sophos Support through Phone.

Excluding a path or a drive letter only on some servers for the scheduled scan

Hi,

i need an information about the scheduled scan.

scan can reduce performance of the servers host, so... i have different server with a second drive ("D", "E" or other else), and i want to exclude a couple of them from scanning a specifical drive, because it takes much time and it is not necessary a weekly scan.

 

If I add a path in the global policy (or in the base threat protection policy) with the windows path for example "\\servername\D$\" it works?

 

My fear is that i have to clone the base threat protection policy for every single different drive letter i want to exclude (D on one server, E on another, and so on...)

  • Hello Andrea Manini,

    AFAIK a scheduled scan considers local drives, thus \\servername\D$\ won't work (haven't tested it though).

    Christian

  • In reply to QC:

    Hello QC,

    so there is no alternative than create a policy for every kind of exception i have to apply?

     

    obviously i have only one drive letter like D, i create only one more policy, but if on another machine i have to scan also the D but not E, i have to create another policy again and so on...

  • In reply to Andrea Manini:

    Hello Andrea Manini,

    so it is.
    I'm curious though why these exclusions are indeed needed.The load produced by a scheduled scan shouldn't be excessive (AFAIK it runs at lower priority). Then it depends on what's on these disks - and how well organized it is. Worst thing is a enormous number of medium-sized "infectable" files in arbitrary folders. Unfortunately there is no option to scan only the system drive.

    You can set "server-specific" exclusions only for remote shares, not local drives. So you can't pool them together. Whether paths might help (so that at least the major part of the disks is skipped) depends on the structure and naming.

    Christian

  • In reply to QC:

    The fact is that our team dedicated to the host/VM amministration noticed a not so small increment of the resources used after the implementation of sophos, and in my company they really care about all this variations. My colleagues become from the era of "on server that are not going on internet, AV is not necessary", so it is hard to implement it an all machines and see that the resources reach point that we haven't seen before.

    The guide also is not so specific about how sophos take make the scan: for example, on other enterprise AV like kaspersky, i can set the scan only for the new files, instead of scanning every week the same file even if they are not changed. instead,  sophos guide explain nothing about this, so we can't know how it works.

    i also notice the option for disable "remote scan". also in this case, sophos guide explain nothig. if i leave enable remote scan, every PC that has the same network drive with the same path (deployed from policy) start to scan that drive at the same time? or it is smart and he knows that he doen't have to scan it from every sophos client? sophos has no answer...

  • In reply to Andrea Manini:

    Hello Andrea Manini,

    admittedly documentation isn't very detailed, especially when it comes to more technical details. OTOH there's quite a number of misconceptions when it comes to what it should do, what it does, and how it does it.

    You are talking about scans, scheduled scans. They aren't the core of AV. Protection is first and foremost provided by on-access (or real-time) scanning, a just-in-time scan. Scheduled scans are a supplement, they have their merit, the recommendation to scan regularly should be taken with a grain of salt.

    scan it from every sophos client
    endpoints are self-contained. What one of them does has no effect on the others. If you schedule a scan with remote enabled all endpoints will scan the mapped shares. In a setup where many endpoints map the same share you'd not enable scanning of remote files for scheduled scans.

    set the scan only for the new files
    so how would a scan reliably determine which files are new? And do not forget that once detection items (often called signatures) are updated a previous scan's results are no longer valid. This is not a data backup system where you have to back up a file only once.

    a not so small increment of the resources used after the implementation of sophos
    you have mainly asked about scheduled scans. Does this refer to normal operation or when scheduled scans are running?
    For On-Access scanning on Windows you can expect around 300MB (depends on enabled features) additional RAM used. CPU consumption shouldn't be significant (although there might be occasional spikes). Of course in a VM environment this adds up.It depends on the VMs deployed, if you have many rather small, lightly loaded single CPU machines the additional resources are more than noticable. But there's a special SVM edition for these environments.
    For scheduled scans that run on the same time CPU usage (on the host) will go very high. The scans (that are anyway on low priority) will grab what's available on the virtual CPU. If the virtual CPU is oversized (and the host therefore badly overcommitted) it will set the host on fire. Again SVM might be better suited for the infrastructure.

    To repeat - if you are asking about just scheduled scans the questions are likely the wrongs ones anyway.

    Christian

  • In reply to QC:

    Hi QC,

    thanks for your answer.

    for the scheduled scan you're right, and in fact i was thinking about disable it on some machine after the first run. i have to think about it.

    scan it from every sophos client

    thanks for the info, i've set it correctly now.

    set the scan only for the new files

    thinking like this seems that every other antivirus company lies, but what i understand is that "scan new files" means that the antivirus check the signature and if it is the same, avoid to accurately scan a file, could be useful with large ones. this is an hypothesis of course, but i based this on every other AV. by the way it's not the point.

    resources

    yes i was talking about cpu, is not so high but compared to "nothing" (some servers could be use for scheduled activity that not always are working), a 5-10% more activy continuosly is noticeable from the history diagram.

    i also have to say that sophos commercial and technician (directly sophos, not reseller), when we bought the license some weeks ago, they didn't tell me about this version, i didn't know about its existance. wen i tell them that i discover this SVM version here from the community, they tell me that this version is useful for a large number of machines (like more than 100, instead we have 10-15 machines per host), and it is not necessary for a "small" amount like ours. also, they tell me that maybe (i don't know why they say maybe...they work for sophos...) it requires a more expensive license...

  • In reply to Andrea Manini:

    Hello ,

    "scan new files"
    SAV maintains a cache of files scanned and as you surmise a file that hasn't changed doesn't need to be scanned again. But please note that a) the scanner can't rely on file system metadata or CRCs/hashes it hasn't calculated itself (as whatever produce it could be compromised) and thus it has to perform some I/O on the file and b) new AV definitions invalidate the cache. Of course it's a trade-off - especially if real-time scanning is enabled - as it is unlikely that an unknown threat lurks in an "old" file.

    noticeable
    well, yes, something does "real work" Wink. Seriously, it's not a surprise and of course how noticeable it is depends on the regular workload of the VMs. As said, (frequent) scheduled scans might not be necessary.

    SVM is useful for a large number of machines
    can't say, I'm not using it. can give a competent answer.

    Christian

  • In reply to QC:

    Hi all, 

    "wen i tell them that i discover this SVM version here from the community, they tell me that this version is useful for a large number of machines (like more than 100, instead we have 10-15 machines per host), and it is not necessary for a "small" amount like ours. also, they tell me that maybe (i don't know why they say maybe...they work for sophos...) it requires a more expensive license..."

    Most of our Sophos for Virtual Environments (SVE) customers have a small number of Guest VMs (GVM) being protected by a Security VM (SVM). From our telemtry these customers have 1-5 SVMs protecting 1-25 GVMs. We do of course have customers with over 30 SVMs protecting hundreds of GVMs. 

    To clarify; SVE entitlement is part of the Sophos Central or Sophos Enterprise Console Server licenses (apologies for the confusing information!): 

     

    The server license means you can install either SVE or the "full agent".

    So you could protect the virtual servers that are

    • on older kit
    • for those servers that are not as critical
    • servers that are based off the same image (ie almost the same – so SVE caching will help speed up the scanning process).

    For all the other, more critical servers that are on newer infrastructure that will need the extra protection (and the more granular management) – you can use the full agent.

     

    Cheers

    Mark