Hi,
We're experiencing a replication issue which appears to be due to Sophos Endpoint, with one VM in particular causing concern beyond the others.
As background, our platform is a Server 2016 Hyper-V cluster hosting 2008 R2, 2012 R2 and 2016 VMs. All (30+) business-critical VMs are replicating to Azure Site Recovery (ASR) over a 100Mb/s MPLS, and the system has been in and working reliably for just under a year although we've only recently (last week) completed the transition from McAfee Endpoint Security to Sophos Endpoint.
The issue is that we're now seeing a lot more replication traffic than previously, with a variety of VMs hosting different roles (SQL, IIS, file server, Exchange CAS and DAG) affected. After some investigation I believe I've traced the cause of the problem to the temporary files Sophos appears to constantly update, these files are located in C:\ProgramData\Sophos\Sophos Anti-Virus\Temp, which contains files suffixed with .$$$
If I monitor performance on the affected VMs, these files are being written to at quite a high rate, between 500KB-20MB/s per each instance of "SavService.exe". Most worryingly this activity continues even when all AV components are disabled in Sophos using the "Override Sophos Central Policy".
The majority of VM replicas are just about managing to stay current, however our primary file server is gradually falling further and further behind (it's built up around 100GB backlog since Saturday) and it looks like ultimately it'll require resync and I'll likely have to remove Sophos in order to recover replication. This fileserver previously generated less than 10GB of change per day, it's now generating about 20GB an hour. The file server VM is Server 2012 R2, using Storage Spaces and deduplication (backgroup dedupe is disabled, schedule dedupe job runs at 2am so it isn't running during the day and I've excluded the System Volume Information folders from Sophos scanning).
From reading around it seems these temporary files are supposed to be used when Sophos is scanning inside archives and such, so it's doubly puzzling why the build up continues when Sophos is disabled.
Has anyone come across this or anything similar? Any ideas on how to stop it happening or reduce the impact (other than removing Sophos)? If this were a new VM to be replicated I'd simply setup a separate un-replicated vDisk but that's not an option with ASR without restaging the whole 1.8TB VM.
Thanks in advance for any assistance.
Dean.
*ETA* - Sure enough the file server VM has just gone into "resync" status.
This thread was automatically locked due to age.
