Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 21 replies
  • Subscribers 1 subscriber
  • Views 15628 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Longs start of .NET applications from network drive

AndrejK

Hello,

We are having problems with Sophos On-Access scanner. When enabled (always and default for every workstation in company) it can take up to 60-120 seconds before a .NET application located on network drive will start. It includes a single executable and around 10MB of DLL libraries which are located in same folder. If I disable On-Access scanning it opens instantly.

If I check the Task Manager I can see that Savservice.exe is peaking at around 20-40% which tells me that DLL files are beeing scanned. And this is taking way too long.

I tried to exclude the folders like so:

\\SERVER\SHARE\FOLDER\ and

X:\FOLDER\

or any other possible exclusion solution but none helped. When user closes application and starts it again from same network path it will open almost instantly. Until next reboot that is.

What can I do? How to correctly exlude those folder from beeing scanned or how to setup the Endpoint so the DLL files are not scanned everytime?

We are using Windows 7 Pro 64bit OS, Novell Netware file server and latest up-to-date version of Sophos Endpoint Security (9.7).

Thank you for your support.

:25101


This thread was automatically locked due to age.
  • 0

    Hello AndrejK,

    When user closes application and starts it again from same network path it will open almost instantly. Until next reboot that is

    as scan results are cached the "speed-up" is the expected behaviour. The cache doesn't survive a reboot though. 

    The format of the exclusions seems correct and they should work (any chance that short names are used on the path?). While not a long term solution - have you tried Exclude remote files? This should confirm that excluding the files from on-access works and helps and that it is probably a question of specifying the path actually used.

    Christian

    :25107
  • 0

    Hi,

    If exclude remote files fails, try turning off suspicious behaviour on a test client and see how that behaves.

    Regards,

    Jak

    :25109
  • 0

    Exclude remote files is working yes. This speeds up the loading. But we can't just exclude every file check. Or what exactly does this do?

    :25111
  • 0

    Suspicious behaviour is not enabled.

    :25113
  • 0

    Hi,

    If all the files are in:

    \\SERVER\SHARE\FOLDER\

    Can you try excluding:

    X:\FOLDER\

    \\SERVER\SHARE\FOLDER\

    \\IP\ SHARE\FOLDER\

    Note: the trailing backslash is important when excluding directories.

    Also turn off exclude remote files again.

    I tested putting eicar.com in a share on a remote machine: i.e. \\192.168.0.4\Jak\eicar.com

    On the client, in the hosts file I entered:

    192.168.0.4 mac

    With an exclusion in SAV of:

    \\192.168.0.4\jak\

    eicar.com was allowed to be accessed by the client, where as accessing the file as: \\mac\Jak\eicar.com was detected.

    Might be worth running Process Monitor to see what is exactly being accessed and if the exclusion covers it.  It would be good to narrow it down to a certain file in the directory but getting the exclusion to work would be a start.  If you can narrow it down to a certain dll file for example, you could then submit that to the labs with some info to say scanning it is too slow.

    Regards

    Jak

     

    :25133
  • 0

    How to know which file he is currecty scanning?

    I've tried many other exclusion option and none worked. Only exclude remote files works but I can't just exclude all files on network. For now I want to exclude only few paths where we have the .NET applications with many DLL files.

    I tried another thing. On fresh reboot of computer I've tried to copy the folder with .NET app onto local hard drive. It took almost 3 minutes to copy 11MB of files. He is stopping on every DLL file for at least 10 seconds. The average speed of transfer was 110bytes. If I delete copied files on my hard drive and copy the same folder again it will only take 1-2 seconds.

    That is why it also takes so long to start application.

    What else can I do?

    Thank you.

    :25147
  • 0

    Hello AndrejK,

    to repeat an emphasize what Jak has said:

    1. Please do contact Support concerning the time it takes to scan those DLLs, it seems excessively long
    2. To find out the path used to access these files use Process Monitor - note that you can filter by partial path so you could just trace access to one of the DLLs which would significantly reduce output and thus make it easier to determine the path(s) needed for the exclusions to work

    Christian

    :25149
  • 0

    Hi,

    I would also test using the latest verison of SAV also, i.e. 10.0.4.

    Maybe create a new subscription in SEC, call it 10, choose 10 Recommended from the list.

    This will create you a new CID, e.g. \\server\sophosupdate\cids\s001

    Create a new test group in SEC, eg, Test10

    Create a new updating policy, call it Test10 for example and choose from the subscriptions tab, the 10 subscription.

    Link the new updating policy, Test10.  to the test group Test10.

    Move a test client to the test group.

    The test client should shortly upgrade to 10.0.4 ,once it has it's new polciy and has performed an update.  I would then suggest rebooting it before running the same test.

    It is always worth trying the latest version in my opinion before contacting support.

    Regards,

    Jak

    :25155
  • 0

    Done. We updated all our clients to version 10.0.4 VDL 4.77G. Smooth update using Sophos Enterprice Console.

    Before testing I rebooted the computer and redone all the test. Exactly the same. It takes 3-4 minute to copy 11.3MB of .NET application from Novell Netware file server to local HDD. Same thing if I run the executable from network. But if I copy it twice in another folder on HDD it finishes in 1-2 seconds.

    Current exclusion list looks like this:

    \\SERVER\SHARE\FOLDER

    \\SERVER\SHARE

    X:\FOLDER

    X:\

    But I did some more testing using Windows XP. Same exclusion rules and 1-2 seconds to open! So the problem must be in Windows 7 SP1 64bit that we are now implementing in our company.

    Can you I do some other tests to confirm this?

    :25163
  • 0

    Hello AndrejK,

    it's likely the path(s) that Sophos gets to see when the open is intercepted. Please give Process Monitor a try. BTW: You can clear the scanner cache (so you don't have to reboot to make Sophos re-scan) in the local On-Access configuration.

    Christian 

    :25169