Questions[sophos](server)

For compliancy reasons we need to demonstrate that users downloading and then running certain file types (namely .exe) are first presented with a warning (for Cyber Essentials). The setup are Windows 10 workstations (build 2004) running Novell Zenworks (now Microfocus) and Sophos Antivirus.

Zenworks applies local policy to the workstation and both smartscreen and medium risk extensions are set. Looking in the registry after login as an unprivileged user the registry keys appear to be present in Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations

When the test exe is downloaded from the internet the stream inside the file stating that it came from the internet zone is correctly set. When the file is run no warning appears and the stream disappears from the file.

Same settings tested in an Active Directory environment and works perfectly. Does anyone know of any GPO or registry settings that conflict with attachment manager? Could this be a feature within Sophos? It feels more like Zenworks but I have no proof!

Any guidance would be great

Thanks

We are running WSS 3.0 SP2 on Windows Server 2003 R2 x64. We had recently upgraded our Sophos Endpoint Protection from version 9.7 to 10.0. Immediately, our alerts stopped working (although it wasn't noticed immediately). When you tried to create a new alert on a library the page would just hang once you pressed Ok. No workflows that used email would complete. (See http://community.sophos.com/t5/Sophos-Endpoint-Security-and/sophos-10-and-sharepoint-2007/td-p/20119) None of the fixes mentioned in that post worked for us, so we uninstalled Sophos 10 and reinstalled 9.7 which immediately allowed new alerts to flow.

My question is... are all of the alerts that were blocked by Sophos gone forever, or are they queued somewhere that we just need to kick some process to send? I've tried restarting the server, restarting the timer service, clearing the config cache... I'm not sure where else to look. Any tips appreciated!

EDIT: Workflow emails apparently did queue and send. Alerts did not though.

Anyone know where I can find the a list of which RBL's Sophos use's? I have checked their website with no luck, and currently awaiting a response from their technical support.

Thank You in advance

Kevin

I am in the process of trying to optimize the boot process of our 700 Windows XP workstations, we regularly have complaints about the start-up and login times on site workstations.

Looking at this in two parts, part one using BootVis to monitor and inspect the boot process; part two using Process Monitor to monitor the login process. Using BootVis' "Boot Done" way point as the metric, I utilized a VMWare workstation virtual machine that has been used for about 18 months as a general purpose testing machine (thus fairly typical of on site machines). I used a snapshot to return the Virtual Machine to the initial state before each test.

From the logs and report that BootVis created the most obvious delay was from Sophos Anti-Virus on access scanner, followed at some distance by mrxsmb. I tweaked with the policies for the machine (ensuring I forced Sophos to update twice each time) and came up with the following numbers:

• Scan All Files, On Read: 260 seconds
• Scan All Files, On Write: 160 seconds
• Scan Executables, On Read and On Write: 111 seconds
• Scan Executables, On Read: 99 seconds
• Scan Executables, On Write: 95 seconds
• On-Access Scanning Disabled: 102 seconds

The above tends to suggest that Scanning All Files, On Read is by far the most expensive operation (and probably totally unnecessary). I can't quite comprehend why disabling on-access scanning actually slows down the boot sequence however fractionally fractionally. The final three results are pretty much the same, which means I must use other factors to influence my decision as to selecting Scan Executables, On Read or On Write.

Update:

I did some more tests, on the same virtual machine (at a different time of day, so they can not be compared directly with the above results:

• Sophos Not Installed: 67.4 seconds (average over 5 tests)
• Scan Executables, On Read: 84.5 seconds (average over 5 tests)
• Scan Executables, On Write: 85 seconds (average over 5 tests)

The averaging causes the values for On Read and On Write to converge further, it is interesting to see that using Sophos scan Executable Files only adds a 21% performance overhead over Sophos not being installed.

So what other considerations should I make when configuring On-Access scanning to improve the boot time?

All of our corporate PCs have Sophos installed, but we're getting complaints about slow network speed and boot times from the users.

We've tracked this down to Sophos checking for updates as soon as the user logs in - the checking process eats cycles on the workstation, and the network access of 100+ PCs to check the server at the start of the day eats the bandwidth.

Is it possible to stop the Sophos auto-updating service from doing this, and make it wait to the next scheduled check time (which gets randomised over time)?