Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 21 replies
  • Subscribers 1 subscriber
  • Views 15616 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Longs start of .NET applications from network drive

AndrejK

Hello,

We are having problems with Sophos On-Access scanner. When enabled (always and default for every workstation in company) it can take up to 60-120 seconds before a .NET application located on network drive will start. It includes a single executable and around 10MB of DLL libraries which are located in same folder. If I disable On-Access scanning it opens instantly.

If I check the Task Manager I can see that Savservice.exe is peaking at around 20-40% which tells me that DLL files are beeing scanned. And this is taking way too long.

I tried to exclude the folders like so:

\\SERVER\SHARE\FOLDER\ and

X:\FOLDER\

or any other possible exclusion solution but none helped. When user closes application and starts it again from same network path it will open almost instantly. Until next reboot that is.

What can I do? How to correctly exlude those folder from beeing scanned or how to setup the Endpoint so the DLL files are not scanned everytime?

We are using Windows 7 Pro 64bit OS, Novell Netware file server and latest up-to-date version of Sophos Endpoint Security (9.7).

Thank you for your support.

:25101


This thread was automatically locked due to age.
  • 0

    Hell QC,

    I've done even more tests. Using Purge cache made things quicker. My conclusion, no matter what server share, mapped drive or exact folder I put into Windows Exclusions it will just not work on Windows 7 64bit.

    So far the only solution is to enable All remote files or what I discovered to enable exclusion on file filter *.dll.

    But just how insecure does this makes my workstations? Anything else I can try?

    :25173
  • 0

    Hello AndrejK,

    exclusion on file filter *.dll

    didn't suggest this as it is similar to excluding all remote files. So you could not (yet) determine the actual path used? To be sure it works I just tried a folder exclusion on Win7/64 (using eicar.com) - works as expected (Process Monitor confirmed the open was on the normal path). So I assume it's not an issue with the base OS, the folder being on a NetWare volume might make the difference - file exclusion obviously works. Did you check the path with Process Monitor (excuse my insistence - it was quite useful assessing the looping problem with SAV32CLI)?

    Christian

    :25175
  • 0

    Not yet. You are thinking about this tool?

    http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

    What process should I monitor? Can I see what files he is checking with this tool?

    :25177
  • 0

    Yup, that's it. Sorry, assumed you are familiar with it.

    I'd suggest you just use the following filter (CTRL+L): Exclude Event Class | Profiling,  include Path | ends with | oneof the.dll .

    Christian

    :25179
  • 0

    I did some more tests. And so far I can confirm this is a problem with Sophos and Novell file system.

    I copied two of our .NET applications with DLL files onto our QNAP NAS which every user have mapped twice. Once for private and one for public folder on it.

    I copied the application into M:\Temp\APP1 and M:\Temp\APP2 and then excluded M:\Temp\ from Sophos. Also purged cache. Result? 1-2 second to copy from it to HDD. But when I input exclusion of Novell file server map Q:\FOLDER\ where two apps are in Q:\FOLDER\APP1 and Q:\FOLDER\APP2 it takes 3-4 minutes to copy/start them.

    So this at least for me confirms that Sophos has a bug and can't exclude properly the Novell file system shares. We are using Novell Netware 6.5 with service pack 8.

    I tried to exclude all options like so:

    Q:\FOLDER\

    \\SERVER\VOLUME\SHARE\FOLDER\

    \\192.1.1.1\VOLUME\SHARE\FOLDER\

    And with all three exclusions it failed. Maybe bacause of that it also takes that long to scan the DLL files?I also tried on two other computers with different AV software (MSE and AVG). Zero problems with them and Novell file system share exclution.

    How and where can I report this bug or do you have any other suggestions?

    :25183
  • 0

    Well, I'd give Support a call (and refer them to this thread).

    But try Process Monitor first - although you have narrowed down the problem and Support should be able to recreate it I assume this will nevertheless take some time. OTOH if Process Monitor shows a "weird" path this might enable you to configure a working exclusion until a general solution is found.   

    Christian

    :25185
  • 0

    I gave Process Monitor a try. The path looks OK to me. And no matter what path I put as exclusion he doesn't skip that folder from scanning. What I found strange was the filenames he is scanning. If file is Office.dll then he opens it but then he is looking for file eciffO.ini which he doesn't finds and hangs for a while until moving to scan next file. Not sure if this is normal.

    I exported the result as CSV and PML format. You can see the content of CSV file here (I changed the folder names):

    http://paste2.org/p/2034352

    As you can see from timestamp it took him almost exactly 3 minute to copy that folder to local HDD.

    Can you make something out of the CSV file? And thank you for the support :).

    :25189
  • 0

    You're welcome :smileyhappy:

    What filter did you use? Would be interesting what happens in the seconds (up to more than 10) between close and open/create. I'd say that SAV is not scanning the files in this folder - otherwise you'd see ReadFile. As it is much faster the second time around I assume (but might be wrong) that "something" is indeed scanned but this something is "somewhere" else.

    Christian

    :25195
  • 0

    First I was using only the filters you suggested.

    I've redone the test and now also included to filter SavService.exe process. But the result was the same. SavService only scans files that I copy and it takes long time to do so.

    I did same tests with copying from NAS to PC where folder in NAS was excluded to scan it SavService was not used during copy.

    So this again confirms that exclude option doesn't work properly on Novell Netware file servers.

    How and where to report this bug? I just call international number?

    :25259
  • 0

    Hello AndrejK,

    sorry - had a Holiday yesterday.

    If there isn't a specific contact for your area either ask the partner you obtained the software from, call the international number or use the contact form.

    HTH

    Christian

    :25287