Garbage collection / Ransomware detection


We're having strange issue:

The "ransomware detection" setting is interfering with a local .NET process running on our machines. When the detection is switched on the processes run much slower, this is caused by long pauses in Gen0 and Gen1 garbage collections (of up to several seconds instead of a few microseconds).

Switching off the "ransomware detection" resolves the issue.

Nothing logged on Central when our local .net process is suffering, so I'm unable to find a legit reason for that. 

What are our options here ( except disabling Cryptoguard) ? We ideally want to exclude coreclr.dll from Ransomware detection scope, but there's nowhere to do it. 


Edit tags
[edited by: GlennSen at 8:27 AM (GMT -8) on 25 Feb 2023]
  • Hi Thomasb74,

    Thanks for reaching out to the Sophos Community Forum. 

    I suggest adding an Exploit Mitigation Exclusion for the process that uses the .dll. Excluding the .dll alone this way may not result in many improvements to performance due to the way scanning occurs. 

    If you were looking to investigate things a bit further, I'd suggest turning off some of the settings under "Runtime Protection" in the threat protection policy one at a time to see if there is one specific scanning feature that's contributing to the slowdown.

    If the exclusion does not work, you can try this to see if you are comfortable leaving some settings disabled on a select few devices that require the .net process. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids