This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Anti-Virus - On Access Cache Scanning functionality

Performance related and functionality inquiry here... Does Sophos AV use a cache to keep a record of on-access scans so it knows not to re-scan certain content. If so, what is the criteria for when a file will be scanned again?

Trying to troubleshoot some performance issues related to a .NETframework app...sometimes the application startup takes 30+ seconds on a cold-boot. I've confirmed that SavService.exe is hitting the C:\Windows\assembly\NativeImages_v4.0... and C:\Windows\Microsoft.NET...locations hard in these instances.

This thread was automatically locked due to age.

Parents

0 QC over 10 years ago

Hello LoXodonte,
a virus def update might [invalidate the cache]
~~good~~ excellent point!
the scanning of dlls within it. Which I don't fully understand
use dir from an administrative CMD prompt or use an alternate method to view That annoying c:\windows\assembly folder (whereupon he exclaimed: "The thing's ramified - it goes on forever - and - oh my God! - it's full of DLLs!"). :smileyvery-happy:
Would it be a terrible idea to add on-access folder exclusions [...]?
I'm neither a security analyst nor a developer and my gut feeling could be completely wrong. While your run-of-the-mill threat might consider this location too complex to abuse it could be appealing to someone scheming a sophisticated (targeted) attack and it is (or used to be) used for example by ZeroAccess (but arguably a threat could at least partially be detected if only \assembly is excluded).
If there were a general problem with .NET applications and/or the GAC we'd likely have heard. Thus I assume that there's room for improvement in the way the application has been built. Neither does On-Access scan files on its own (i.e. without them being opened by some process) not does .NET or some other component open a file just "because it's there". The scan of mscorlib.ni.dll (even though it's some 14MB) and one or two other DLLs shouldn't result in a 30 seconds delay. That's not to insinuate the application is poorly written - but certain methods might be better than others in a specific context.
Christian
:56711
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 QC over 10 years ago

Hello LoXodonte,
a virus def update might [invalidate the cache]
~~good~~ excellent point!
the scanning of dlls within it. Which I don't fully understand
use dir from an administrative CMD prompt or use an alternate method to view That annoying c:\windows\assembly folder (whereupon he exclaimed: "The thing's ramified - it goes on forever - and - oh my God! - it's full of DLLs!"). :smileyvery-happy:
Would it be a terrible idea to add on-access folder exclusions [...]?
I'm neither a security analyst nor a developer and my gut feeling could be completely wrong. While your run-of-the-mill threat might consider this location too complex to abuse it could be appealing to someone scheming a sophisticated (targeted) attack and it is (or used to be) used for example by ZeroAccess (but arguably a threat could at least partially be detected if only \assembly is excluded).
If there were a general problem with .NET applications and/or the GAC we'd likely have heard. Thus I assume that there's room for improvement in the way the application has been built. Neither does On-Access scan files on its own (i.e. without them being opened by some process) not does .NET or some other component open a file just "because it's there". The scan of mscorlib.ni.dll (even though it's some 14MB) and one or two other DLLs shouldn't result in a 30 seconds delay. That's not to insinuate the application is poorly written - but certain methods might be better than others in a specific context.
Christian
:56711
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data