Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 1 subscriber
  • Views 7995 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos on Citrix high cpu utilisation

ajsmith

I am finding significant performance problems with Sophos on our Citrix Xenapp 5 presentation servers (W2k3).  I have recently been seeing very high CPU utilisation - 50%+ for prolonged periods which is killing performance on the servers.  I have a seperate policy for the Citrix servers which includes windows exclusions for the Citrix program folder, UNC for roaming profiles, and the page file drive.  Can anyone share best practice for a successful deployment on Citrix or experience of similar problems and how they can be overcome?

Thanks.

:14191


This thread was automatically locked due to age.
  • 0

    Hi,

    Can you paste here the exclusion list you have so we can check it?

    Also what AV options do you have? 

    Configure - Anti-Virus  - On-access Scanning
    On-Read:
    On-Write:
    On-Rename:
    Scan inside archive files:
    Scan All files:
    Scan for suspicious:
    Scan for adware puas:

    Configure - Anti-Virus - Suspicious behaviour detection
    Detect suspicious behaviour: 

    Detect buffer overflows:
     

    Regards,

    Jak 

    :14197
  • 0

    Configure - Anti-Virus  - On-access Scanning
    On-Read: Ticked
    On-Write: Not Ticked
    On-Rename: Not Ticked
    Scan inside archive files: Not Ticked
    Scan All files: Not Ticked
    Scan for suspicious: Not Ticked
    Scan for adware puas: Not Ticked

    Configure - Anti-Virus - Suspicious behaviour detection
    Detect suspicious behaviour:  Unticked

    Detect buffer overflows: Ticked

    Alet Only: Ticked

    Exclusions -

    %AppData%\ICAClient\Cache
    *.edb
    *.fdb
    *.mdb
    \\server\FileData\TSProfiles\
    M:\INVENTORYCLIENT\TSMeter.exe
    M:\Program Files\Citrix
    M:\Program Files\WatermarkTech\volumeFINANCE
    volumefinance.exe
    n:\

    :14199
  • 0

    Thanks, firstly the settings seem ok and shouldn't contribute to any performance problems.  However exclusions can't be variables so: %AppData%  will not work as it will not be expanded.

    Also directory exclusions must have a trailing backslash otherwise they are seen as file exclusions.

    So:

    M:\Program Files\Citrix \

    Also worth exclusing is:
    M:\Progra~1\Citrix\

    If that is the short 8:3 form on the machine.

    I guess if the symptom is experienced quite often you could exclude, as a temporary measure the drives listed in the exclusion list you have just to prove that exclusions would help if they are narrowed down.

    Regards,

    Jak

    :14209
  • 0

    Thanks, I will make the changes and see what happens.

    Anthony

    :14211
  • 0

    I've pinned this down, it appears to be the data control component.  With the data control turned on, as soon as I open Microsoft Outlook there is a big overhead on loading profile and SAV service jumps to 50% CPU utilisation (dual processor system).  There is a performance overhead on Internet Explorer as well.  Both of this issues evaporate when the data control is turned off.  I will leave this turned off tomorrow and see if I get a positive repsonse from users.  Trouble is the DLP features are highly desirable, but this performance overhead is unacceptable.

    :14219
  • 0

    Good to know you might have found the culprit.  I would maybe link a new DataC policy to the group with maybe just one rule and see how that goes, then slowly add them back until you experience the problem.  Hopefully it's just one rule/CCL that could be tweaked or an exclusion applied.

    Are they all Sophos rules or are some of the rules you have made up of your own CCLs?

    Jak 

    :14223
  • 0

    The issue is back, no config changes my end, Sophos eating a full cpu core on my Citrix servers.  I have disabled the service for now to enable users to get on with working.  Can anyone share their SUCCESSFUL experience of implementing Sophos in a Citrix or Terminal Services environment and how this has been achieved?

    Anthony

    :18853
  • 0

    No help here, I'm afraid.  Sophos also pegs our Citrix servers regularly.  It appears to be the RouterNT module, which handles communication between the Sophos server and client machines, and which seems to be a problem that goes back many years, judging by various web postings.  We have worked with Sophos support on the problem and they were unable to offer any solutions.  It's disappointing that they haven't been able to fix their code in all this time.  We are looking for an alternative AV solution that has a good reputation on Citrix.  I have seen F-Secure recommended, but have not tested it myself. 

    :19523
  • 0

    Anthony

    Do you have device control and Application control’’’’s policy turned on?

    We are planning to roll out Data, Device and Application control in Citrix Server. But it’’’’s good to know  what you are experiencing.  

    :19581
  • 0

    I have disabled the on access scanning completely, I do intend to turn it on again now we have just upgraded to v10 and will report back on this thread. I have taken the view that since we have AV running on all other servers, and we have cloud AV services for both email and web traffic, we will have to make do with scheduled scans on the Citrix farm as the overhead from on access scanning is a performance killer.  If you find a useable alternative or a config that works please let me know.

    :19583