Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 10 subscribers
  • Views 13426 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Real-time Scanning - Local Files

JanSadlik

Hello all,

I have been using Central Endpoint for some time and I have a problem with the performance of my computer every morning. After switching on for 10-15 minutes, scanning is performed and the disk load is 100%. How to eliminate it ?  The second issue is why in the Sophos Central Management Console I can not choose which files and when to scan them (I enclose the photo). The management console does not have the options described in Help.



Regards
Jan



This thread was automatically locked due to age.
Parents
  • 0

    Hello Jan,

    Apologies for the confusion created here. The documentation needs to be updated here to match what we have on Central as a result of a few changes. 

    If you uncheck 'Remote files' only local files will be scanned on access(be it read, write or rename.)

    Performance issues are quite tricky to investigate and I would suggest raising a case with us here if you are a licensed customer - https://secure2.sophos.com/en-us/support/contact-support.aspx 

    I hope this helps. 

    Thanks,

    Vikas

  • 0 in reply to Vikas

    Hello Vicas,


    Thank you for your answer. A similar problem was once raised on the forum but it did not get a solution.
    https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/94400/sophos-endpoint-client-cause-100-disk-usage-during-startup
    Endpoint scans the same (unknown) files every day, automatically, without the possibility of configuration. You can disable this scan, but then you lose important functionality. I had the impression that Scheduled Scanning is for this purpose. Central Endpoint Threat Protection Policy has few configuration options compared to SEC policy, and you can not control the load dynamically.



    Windows 10 boot routines are superimposed on the scan and we have 100% disk load. It would be useful to solve this problem. For example, by blocking the automatic start of the scan?

    Regards
    Jan

  • 0 in reply to JanSadlik

    Hello Jan,

    performance numbers and interpreting them are a tricky matter - I assume you aren't monitoring the disk just for the fun of it but encounter performance issues?

    the scan
    is likely not a specific scan but On-Access (or real-time in Central's terminology) scanning. Turning it off might make the high usage go away but I'd not call this a solution. Ideally a system's integrity should be verified before it is booted. scans the same (unknown) files every day Naturally a system can't tell what has happened to its disks while it was powered off. Whatever is loaded during system initialization has a good chance to evade detection afterwards. Therefore real-time protection isn't delayed until after the system "is up" but commences as early as possible. While the scanner might decide to omit a proper scan at has at least to verify the identity (and thus to a certain extent integrity) of files. It can't rely on the metadata provided and checks performed by the OS (otherwise we wouldn't need additional AV software)- wouldn't make much sense to verify a signature without calculating the hash it signs, would it?
    Turning off on read scanning indeed improves performance but as rarely any file of interest is written at this stage it effectively disables protection. No insult intended but IMO Central's design is more aimed at protecting users from themselves.

    OSes tend to grow over time and the number of files touched during start-up increases, it doesn't even need a disproportionate increase in the resources required for scanning to cross the "acceptable" border.

    Last but not least 100% is just a ratio, it doesn't tell what's causing it - a software or hardware defect, an imbalanced system, or simply necessary work to be done.

    Christian

Reply
  • 0 in reply to JanSadlik

    Hello Jan,

    performance numbers and interpreting them are a tricky matter - I assume you aren't monitoring the disk just for the fun of it but encounter performance issues?

    the scan
    is likely not a specific scan but On-Access (or real-time in Central's terminology) scanning. Turning it off might make the high usage go away but I'd not call this a solution. Ideally a system's integrity should be verified before it is booted. scans the same (unknown) files every day Naturally a system can't tell what has happened to its disks while it was powered off. Whatever is loaded during system initialization has a good chance to evade detection afterwards. Therefore real-time protection isn't delayed until after the system "is up" but commences as early as possible. While the scanner might decide to omit a proper scan at has at least to verify the identity (and thus to a certain extent integrity) of files. It can't rely on the metadata provided and checks performed by the OS (otherwise we wouldn't need additional AV software)- wouldn't make much sense to verify a signature without calculating the hash it signs, would it?
    Turning off on read scanning indeed improves performance but as rarely any file of interest is written at this stage it effectively disables protection. No insult intended but IMO Central's design is more aimed at protecting users from themselves.

    OSes tend to grow over time and the number of files touched during start-up increases, it doesn't even need a disproportionate increase in the resources required for scanning to cross the "acceptable" border.

    Last but not least 100% is just a ratio, it doesn't tell what's causing it - a software or hardware defect, an imbalanced system, or simply necessary work to be done.

    Christian

Children
No Data
Unfiltered HTML