Sophos Intercept X in Citrix VDI

We have performance issue with Citrix Intercept installed on VDI Citrix desktops.

When the users open files (office, pdf, etc...) I see Sophos file scanner that use 60 and more cpu every time (I know that Sophos have to do the scan of the file...).

How can I adjust policies to reduce this cpu utilization?

The profiles using redirected folders and citrix profiles management...

Do you excluded network path where redirected folders are located?

Every vdi have 2 vcpu assigned.

Thanks



Added TAGs
[edited by: Gladys at 10:01 AM (GMT -8) on 3 Feb 2023]
Parents
  • Hi Sove,

    Thanks for reaching out to the Sophos Community Forum.

    I'd suggest checking if you have added any necessary exclusions from the following article first.
    - Citrix - Tech Paper: Endpoint Security, Antivirus, and Antimalware Best Practices

    You can also use the steps mentioned in this post to filter out what Sophos File Scanner is doing at the time you observe the increase in CPU usage. This may give you a better idea of what exclusions you'll need to add. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi, 

    I've added process and folder exclusions suggested in Citrix KB.

    But I didn't excluded the network folders even if Citrix recommend to do...

    The kb says:

    Scan only local drives - or disable network scanning. The assumption is that all remote locations that might include file servers that host user profiles and redirected folders are being monitored by antivirus and data integrity solutions. If not, it is recommended that network shares accessed by all provisioned machines be excluded. An example includes shares hosting redirected folders or user profiles.

    I can disable the scan on these folders...but if a users download or execute, for example, a malware... Sophos detects it?

    Anyway I'll enable the log, and I check what sophos do 

    Thanks 

  • If the servers which house the user profiles is also protected by Sophos then I would suggest excluding them, as there will only be additional scanning occurring when the files are accessed. 

    If both systems have the "Remote File" scanning option turned on, this will also add overhead which isn’t needed if both systems are protected with the same antivirus. This option would cause the file metadata when receiving files to be scanned before they are locally accessible/written to disk. If this occurs in both directions, it is likely to cause extra overhead due to scanning.

    If you were to disable remote scanning, the file download may begin to take place, but by the time enough data has been written locally for anything to execute, Sophos will have detected the item. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • So, in the VDI you suggest to enable realtime scanning only for local and in the server have both enabled (local and remote).

    If I add in the VDI an exclusion for network shares (file server and profile server) for realtime scanning, can be the same?

Reply Children