We have performance issue with Citrix Intercept installed on VDI Citrix desktops.
When the users open files (office, pdf, etc...) I see Sophos file scanner that use 60 and more cpu every time (I know that Sophos have to do the scan of the file...).
How can I adjust policies to reduce this cpu utilization?
The profiles using redirected folders and citrix profiles management...
Do you excluded network path where redirected folders are located?
Every vdi have 2 vcpu assigned.
Thanks for reaching out to the Sophos Community Forum.
I'd suggest checking if you have added any necessary exclusions from the following article first.- Citrix - Tech Paper: Endpoint Security, Antivirus, and Antimalware Best Practices
You can also use the steps mentioned in this post to filter out what Sophos File Scanner is doing at the time you observe the increase in CPU usage. This may give you a better idea of what exclusions you'll need to add.
I've added process and folder exclusions suggested in Citrix KB.
But I didn't excluded the network folders even if Citrix recommend to do...
The kb says:
Scan only local drives - or disable network scanning. The assumption is that all remote locations that might include file servers that host user profiles and redirected folders are being monitored by antivirus and data integrity solutions. If not, it is recommended that network shares accessed by all provisioned machines be excluded. An example includes shares hosting redirected folders or user profiles.
I can disable the scan on these folders...but if a users download or execute, for example, a malware... Sophos detects it?
Anyway I'll enable the log, and I check what sophos do
If the servers which house the user profiles is also protected by Sophos then I would suggest excluding them, as there will only be additional scanning occurring when the files are accessed.
If both systems have the "Remote File" scanning option turned on, this will also add overhead which isn’t needed if both systems are protected with the same antivirus. This option would cause the file metadata when receiving files to be scanned before they are locally accessible/written to disk. If this occurs in both directions, it is likely to cause extra overhead due to scanning.
If you were to disable remote scanning, the file download may begin to take place, but by the time enough data has been written locally for anything to execute, Sophos will have detected the item.
So, in the VDI you suggest to enable realtime scanning only for local and in the server have both enabled (local and remote).
If I add in the VDI an exclusion for network shares (file server and profile server) for realtime scanning, can be the same?
I'd suggest starting with an exclusion for the network shares. If you only see minimal improvements, try changing to local scanning only first on the VDI systems then the Servers to see which settings suit you best.