Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 2293 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Behavior Monitoring and Panasonic Scanner

digitizedmind

Hi there.

I am new to Sophos and have run across an issue that I thought I would run by the community, before engaging support directly. I am running the Endpoint Protection - Business software and have noticed that when scanning is done using our Panasonic KV-S2046C scanner, it is very slow.  This scanner is utilizing the TWAIN driver for communication between itself and the workstation.  This problem only began after I installed the Sophos product and I have finally narrowed it down to the Behavior Monitoring piece.  When I disable Behavior Monitoring,  the scanner will operate and respond quickly, but with it enabled, the speed and responsiveness of the scanning program is very slow again.

First, can I add an exception to the behavior monitoring part of the endpoint solution?

Secondly, has anyone else ever experienced and issue like this and if so, what was excluded?

For now I have disabled behavior monitoring, but that is not a long term solution.

Thanks in advance

:34123


This thread was automatically locked due to age.
  • 0

    HI,

    What version of SAV are you running 10.0.9 for example?

    Is it the presence of detoured being loaded into the scanning software executable that causes the problem?  Detoured loads into processes by adding itself to the AppInit_DLLs key here:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    and

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows

    if on a 64-bit computer.  

    So when you run an exe, detoured gets loaded into it.

    Under both of the above keys there is also a "LoadAppInit_DLLs" DWORD which enables and disables the loading of any dll into an application.

    So I guess as a test, if you know the process name that is being used/lauched to to do the scanning, you could find out if it's a 32 or 64 bit process (taskmanager) and then maybe set: LoadAppInit_DLLs to be a 0 under the appropraite node.

    If you then re-launch the process responsible for the scanning does it run ok?  

    Also, knowing the process name to get some logging out of detoured (enabling of course), if you create the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\SAVService\BOPSTRACE

    Then under that new registry key, create a new "string" value and set the "name" of it to the name of the process (minus the .exe).  Then launch the scanning software, it should create a log for the process under:

    C:\ProgramData\Sophos\Sophos Anti-Virus\logs\

    Maybe you could post the contents of that here.

    Regards

    Jak

    :34131
  • 0

    jak

    Thank you for the response.  I actually have been unable to identify a process that is launching when the scanner is called.  How this exactly works is we have a program that run and allows us to scan items to "archive".  This program run great and very quick, so it is uneffected by the behavior monitoring piece of the endpoint client.  Anyway, when the user hits the scan button within this program, it calls up the Panasonic scanner and open a scanning interface window that is proprietary to this archiving program.  The delay is happening when the user hits the scan button in the proprietary archive program, as it takes about forty seconds for the scanning interface window to open.  When behavior monitoring is disabled, there is no delay between clicking the scan button and the launching of the scanning interface.  So since it appears to be being called from within an already running program, no additional process are launched.

    Hopefully that makes some sense.  Also, the version of SAV I am running is, according to product information on the client, 10.0.

    :34137
  • 0

    HI,

    How about running Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) on the computer with a filter set to:

    "Operation" "is" "Load Image"

    "Path" "contains" "detoured"

    If you close and re-open the application, you might see which process is loading the Sophos DLL.

    Regards,

    Jak

    :34139