You computer is responding slower than usual after changes were made relating to Sophos Anti-Virus. This may be the result of changes to the Anti-virus and HIPS policy, newly configured scans or a new deployment. Upon investigation, it maybe discovered that a Sophos process/service is consuming a higher than expected percentage of CPU resource or generating increased amounts of disk based activity.
In summary this guide will move you through the following areas:
- Check the hardware specification in-line with our requirements for Sophos Anti-Virus against your computers.
- Check the common protection settings that can cause performance issues and website loading delays.
- Run lower priority scans on computers with Windows Vista and above.
- Review exclusions recommended for use on third party applications.
Microsoft Windows 2000 and above
Known to apply to the following Sophos product(s) and version(s)
Sophos Enterprise Manager 4.7.0
Sophos Control Center 4.1
Sophos Control Center 4.0.0
Enterprise Console 5.2.0
Enterprise Console 5.1.0
Enterprise Console 5.0.0
Enterprise Console 4.7.1
What To Do
Review your endpoint hardware specification
This article here, reviews the hardware impact on the performance of Sophos Anti-Virus.
Review policy settings that can impact performance on endpoints
How to open your active anti-virus and HIPS policy in Sophos Enterprise Console and Sophos Enterprise Manager
This assumes that there is one possibly two active policies in use on your network.
From the server with a Sophos Console installed.
- open the Sophos Console.
- From the Groups list, select the group containing endpoints reporting an issue, right-click and select 'View/Edit Group Policy Details...', note policy name in use for Anti-virus and HIPS.
- Close View/Edit Group Policy Details, expand Anti-virus and HIPS under Policies.
- Select the policy name noted in point 2, double click.
Note: Sophos Control Center will only have one Anti-virus and HIPS policy.
- The active policy for the group containing the affected endpoints will now be open.
On-access scanning | Configure | Scanning tab | Check files on
Sophos Control Center: Configure scanning | on-access scanning | Scanning tab | on-access scanning behavior
From a performance standpoint, Read has the most impact followed by Write and then Rename. The scanning defaults in Sophos Anti-Virus 10 are to have all three enabled for best protection. In all cases, a well defined exclusion is recommended over disabling a category of on-access scanning. See this article for detailed information about scanning recommendations and there protection value.
On-access scanning | Configure | Scanning tab | Other scanning options
Sophos Control Center: Configure scanning | on-access scanning | Scanning tab | Scanning options
- Scan all files (not recommended) is unchecked.
Described in detail here. Sophos Control Center users will find this option under the Extensions tab, select Scan only executable and other vulnerable files.
- Scan inside archive files (not recommended) is unchecked.
Web protection | Download scanning
Sophos Control Center: Configure scanning | Web scanning is
- Set Download scanning set to off.
Download scanning can cause minor delays whilst a portion of the data from the site is scanned before delivery to the end user's internet browser, some websites may be adversely affected by this.
How to disable all Web Protection features in Sophos Enterprise Console and Sophos Enterprise Manager
- Set Web Protection | Download Scanning to off.
- Set Web Protection | Block access to malicious websites to off.
Note: If Web Control is enabled, this will need to be disabled in the Sophos console policy that applies to this computer, all three options must be disabled.
- Restart the computer.
Once the computer has been restarted, the Sophos Web Intelligence LSP will be uninstalled, to confirm it has been uninstalled run the following command in a command prompt window to confirm:
netsh winsock show catalog | find "Sophos"
The proceeding line should be empty (Returning no results).
Scheduled Scanning | Add/Edit | Configure
Note: This setting is unavailable in Sophos Control Center, but will be available in the local configuration.
- Run scan at lower priority
This option will launch a scheduled scan with the Low priority flag set, Windows will treat this as a low priority amongst other windows processes, this should reduce the noticeable impact of a scheduled scan during the working day.
Check third party application information about running anti-virus
Performance in some applications can be adversely affected by file and process scanning, see this article for links to articles containing common third party exclusions recommendations.
Endpoints are still having performance issues
In order to raise a case for technical support, we will require the following information and logging to characterize and investigate the problem for you:
- Describe the user experience and the steps leading up to the performance drop.
- When does the performance decrease occur?
- How often does it happen?
- How long does it occur for?