Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 6427 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Slows Down Backup

SysM3m

I work for an IT company and we use sophos at many different client sites. Two sites tape backup is negatively affected by sophos and even after disabling on access scanning or setting up exceptions it still goes very slow. I have logged a fault with support desk about it but they just asked for diagnostic information to be run which is kind of pointless in my opinion, because we have the same problem at various sites with different backup software with different environments across many different servers with different software and different hardware.

Two site example:

Site a:


Arcserve backup 16

Backing up a document management file store. Usually goes at 30-40mbyte a second. If i enable on access scanning even with exceptions on the document store it reduces the backup speed to 4-5mbyte a second.

site b

Symantec backup exec:

Backing up a standard file store with various types of files and data. Usually goes at up to 50mbyte a second, with sophos enabled it goes at 5mbyte a second, even with exceptions set up on the areas being backed up.

I have tried many different things like disabling everything but on access scanning and even disabling on access scanning. At site A i even had on access scanning disabled but had to stop all the services before the backup would return back to its normal speed.

Has anyone else been affected by this before and any way i can fix it? I realy don't want to set up exceptions or disable on access scanning on our file stores as that is what we bought the software for.

:40105


This thread was automatically locked due to age.
  • 0

    Hello SysM3m,

    if you search "the Internet" for similar issues with backup software in conjunction with AV software (you've probably done this) you do get a number of hits. Unfortunately there is - as far as I have seen - no definite answer. Rarely there's a final solution to the throughput problem (and if it's more or less disabling or doing away with AV) and the backup vendors mostly suggest and recommend but don't (or can't) offer generally confirmed solutions. Surprisingly - or rather: not surprisingly - the vendors' suggestions are in principle the same Microsoft has for its servers.

    My usual rant: At least Microsoft acknowledges the importance of AV (and third-party security products in general) in the latest revision of the respective KB articles and warns about weakened protection.It's not that on-access scanning is brand new technology and there is no alternative unless an application (backup in this case) takes on the responsibility for the "harmlessness" of the files it processes. MTAs can do it  (not at least for performance reasons, but using a plug-in architecture makes it possible to use more than one or an alternate scanner). Rant off.

    Like with other products Sophos provides process exclusions (to be exact, this exempts all files opened by the named processes from being scanned) although there's no (G)UI for this (Sophos apparently sees this as last resort). Putting away even had on access scanning disabled but had to stop all the services for the moment - there are several areas where on-access scanning can "interfere":

    • the source files - of course it depends on many factors, but normally a significant overhead (and thus low throughput) should only be noticeable when there are many rather small (and "infectable") files
    • the program files - unlikely that a backup application repeatedly opens its executables and even if, the files are usually not rescanned (well, a Java application might be an exception :smileywink:) so a delay should only be incurred at start up
    • target store - I can imagine that checkpoint of output files (associated with frequent close/reopen sequences) can busy the scanner, nevertheless the files shouldn't be too "interesting" so scans should complete quickly
    • database, journals and logs - only the latter two should be of concern and only when there are, guess, frequent close/reopens  
    • work files - these could cause significant overhead, but then they should be "excludable" by location or extension

    Of course, all these add up, but except in rare cases shouldn't cause a 90% drop in throughput. But as scanning introduces random delays it could confuse sophisticated optimization strategies. Likely a vendor won't disclose details.

    Now - if on-access scanning is off and there's still a significant delay you should really discuss this with Support (at least I can't think of a simple explanation). Naturally they want to assess the environment - the diagnostic information is far from being the cure-all but without it it's all but impossible to even start tackling the problem.

    Just a few cents

    Christian 

    :40157