Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 14441 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to configure on-access scanning to avoid unacceptable delays with trusted applications?

mars

OS X 10.6.8,

Sophos Anti-Virus 9.0.11:

Recently, I experience unacceptable delays the first time I load an application after a period of not using it.  This may be the result of the most recent update of SAV; I'm not sure.

This is a Java application that I am writing, using a large number of Java libraries that I've installed.

It appears that what's taking so long is Intercheck, and I am guessing that this is running the On-Access Scanner.

At present, I don't want to disable the On-Access Scanner completely.  Seems like a good thing.  My guess is that I could speed up access to my Java app if I disabled scanning inside compressed files (e.g. jar files), but that seems like a good thing to have, in general, too.  Not for the stuff that I knowingly installed, though.

Questions:

Does what I just wrote make sense?  I'm just guessing, so I'd like confirmation.

How does SAV decide when it needs to scan the application when the application runs?  Every time I reboot?  Is there a time period?  Can it be configured?

How can I disable the on-access scanning for things that I install and trust?  It appears that the excluded items dialogue allows this.  However, the Choose dialogue does not allow me to choose anything under /usr.  Why not?  I install parts of the application under /usr/local.  I've entered /usr/local by hand, but I don't know whether that will work.

Sorry to ask these questions without doing further experimentation.  However, since I don't really understand what SAV is doing here, I'd rather not waste time if I am guessing wrongly about what is happening.

(I tried searching the knowledge base for information about this, but didn't find anything.  My questions are pretty straightforward, and the information may be there, but it's difficult to formulate a search that will find the appropriate information.)

Thanks!

:52032


This thread was automatically locked due to age.
  • 0

    Update: I have verified that I'm using the correct syntax to specify exclusions from on-access scanning.  I have found additional directories used by my Java application, and added them to the exclusion list.  The first-time startup time of the application is still unacceptable.  Intercheck hogs the CPU when this happens, and not when the app starts up quickly, on subsequent startups.   It wasn't formerly like this, even though I was running SAV.  I think this problem is due to the most recent update of SAV.  I still don't know whether my understanding is correct, though.

    :52078
  • 0

    Hello mars,

    dunno about the recent versions (and my knowledge of the Mac version is limited). The engine (guess this is true for all platforms) keeps a list of files scanned to avoid rescanning until reboot (it might prune the list if it gets too large). I assume the exclusions work, the first-time (after reboot?) delay and scan activity suggest that other files are involved (perhaps Java "itself"). Do you have another Java application to compare the behaviour?

    Christian

    :52084
  • 0

    Thanks Christian.  It took a while before I had time to do testing.  Today I spent the better part of a hour rebooting, testing, revising exclusion lists, testing, etc.

    At this point I've got these excluded, temporarily:

    /usr/bin/java, which is a link to a file under the next directory listed:

    /System/Library/Frameworks/JavaVM.Framework/

    /usr/lib/

    /usr/local/

    and all directories containing files used by two different java applications: mine, and NetLogo 5.0.4.  All directories are listed with a final single backslash, so all files under them should be excluded as well, according to the Help file.

    Adding the JavaVM.Framework directory made a big difference.  Now, the first time after reboot that I run either application takes about a minute or two, but then running the same application again, or running the other one for the first time takes only a few seconds.  Before that, each one was individually slow to load the first time, but fast the second time.

    So it appears that there are still files that Java is loading that I don't know about.  It's not easy to figure out what they are.

    I really shouldn't have to work this hard to get things to run in an acceptable way.

    Why doesn't the on-access scan remember that a file has been checked after a reboot?  Most people are not going to access the a non-networked hard drive through some other means than using the current computer with the current OS with Sophos running, so a reasonable allowable configuration should be "don't check previously checked files ever again, unless they've changed".  Couldn't Sophos write a database of previously-checked files, with checksums?  I would think that running a checksum on a file would be pretty fast, compared to a complete scan for virus signatures--expecially for compressed files.

    I also don't think it's a good idea to exclude subdirectories in which I don't explicitly control every file.  Adding /usr/lib and the JavaVM directories defeats the purpose of on-access scanning, unless one takes the view that all system directories are safe.  In that case, none of them should be scanned.  But that seems risky.  Keeping a permanent record of checked files with checksums would solve this problem.

    Thanks!

    :52341
  • 0

    Further info: Excluding /System/Library/Frameworks/Java* (i.e. other Java directories there as well) doesn't help.

    :52379
  • 0

    No further help?? This is an intolerable situation.  I have a choice between turning off the live scan, waiting forever for software to load in some situations, or, possibly, downgrading to a previous version that didn't behave this way.  I get Sophos AV through a site license.  I'm ready to lobby my employer to look for a different product.  I'm not trying to be obnoxious about the situation, but I am very unhappy, as I think you can easily understand.  Sophos AV is not doing its job, in my opinion.  Please help.  Please tell me that you're working on it, at least.

    :52485
  • 0

    Thanks very much for the clarification, Sandy.  These were things that I didn't understand.  It wasn't clear to me from the Sophos site that these forums were not intended as a substitute for tech support, and it wasn't clear that I have to contact my IT department given that I have a site license.

    I will admit that this is a bit disappointing for me personally.  Our IT people very good with certain kinds of problems, and I have a lot of respect for them.  This problem, which I do see as the result of the most recent release of Sophos, feels to me to me like the kind of thing that's not the sort of thing they're good at addressing.  That's just a guess, and it's entirely possible that I'm wrong.  I'll contact them.

    Thanks!

    :52565