Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 2295 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Behavior Monitoring and Panasonic Scanner

digitizedmind

Hi there.

I am new to Sophos and have run across an issue that I thought I would run by the community, before engaging support directly. I am running the Endpoint Protection - Business software and have noticed that when scanning is done using our Panasonic KV-S2046C scanner, it is very slow.  This scanner is utilizing the TWAIN driver for communication between itself and the workstation.  This problem only began after I installed the Sophos product and I have finally narrowed it down to the Behavior Monitoring piece.  When I disable Behavior Monitoring,  the scanner will operate and respond quickly, but with it enabled, the speed and responsiveness of the scanning program is very slow again.

First, can I add an exception to the behavior monitoring part of the endpoint solution?

Secondly, has anyone else ever experienced and issue like this and if so, what was excluded?

For now I have disabled behavior monitoring, but that is not a long term solution.

Thanks in advance

:34123


This thread was automatically locked due to age.
Parents
  • 0

    HI,

    What version of SAV are you running 10.0.9 for example?

    Is it the presence of detoured being loaded into the scanning software executable that causes the problem?  Detoured loads into processes by adding itself to the AppInit_DLLs key here:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    and

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows

    if on a 64-bit computer.  

    So when you run an exe, detoured gets loaded into it.

    Under both of the above keys there is also a "LoadAppInit_DLLs" DWORD which enables and disables the loading of any dll into an application.

    So I guess as a test, if you know the process name that is being used/lauched to to do the scanning, you could find out if it's a 32 or 64 bit process (taskmanager) and then maybe set: LoadAppInit_DLLs to be a 0 under the appropraite node.

    If you then re-launch the process responsible for the scanning does it run ok?  

    Also, knowing the process name to get some logging out of detoured (enabling of course), if you create the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\SAVService\BOPSTRACE

    Then under that new registry key, create a new "string" value and set the "name" of it to the name of the process (minus the .exe).  Then launch the scanning software, it should create a log for the process under:

    C:\ProgramData\Sophos\Sophos Anti-Virus\logs\

    Maybe you could post the contents of that here.

    Regards

    Jak

    :34131
Reply
  • 0

    HI,

    What version of SAV are you running 10.0.9 for example?

    Is it the presence of detoured being loaded into the scanning software executable that causes the problem?  Detoured loads into processes by adding itself to the AppInit_DLLs key here:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    and

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows

    if on a 64-bit computer.  

    So when you run an exe, detoured gets loaded into it.

    Under both of the above keys there is also a "LoadAppInit_DLLs" DWORD which enables and disables the loading of any dll into an application.

    So I guess as a test, if you know the process name that is being used/lauched to to do the scanning, you could find out if it's a 32 or 64 bit process (taskmanager) and then maybe set: LoadAppInit_DLLs to be a 0 under the appropraite node.

    If you then re-launch the process responsible for the scanning does it run ok?  

    Also, knowing the process name to get some logging out of detoured (enabling of course), if you create the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\SAVService\BOPSTRACE

    Then under that new registry key, create a new "string" value and set the "name" of it to the name of the process (minus the .exe).  Then launch the scanning software, it should create a log for the process under:

    C:\ProgramData\Sophos\Sophos Anti-Virus\logs\

    Maybe you could post the contents of that here.

    Regards

    Jak

    :34131
Children
No Data