How to configure “On-Access Anti-Virus” for a faster boot

anti-virusbootsophoswindows-xp

I am in the process of trying to optimize the boot process of our 700 Windows XP workstations, we regularly have complaints about the start-up and login times on site workstations.

Looking at this in two parts, part one using BootVis to monitor and inspect the boot process; part two using Process Monitor to monitor the login process. Using BootVis' "Boot Done" way point as the metric, I utilized a VMWare workstation virtual machine that has been used for about 18 months as a general purpose testing machine (thus fairly typical of on site machines). I used a snapshot to return the Virtual Machine to the initial state before each test.

From the logs and report that BootVis created the most obvious delay was from Sophos Anti-Virus on access scanner, followed at some distance by mrxsmb. I tweaked with the policies for the machine (ensuring I forced Sophos to update twice each time) and came up with the following numbers:

  • Scan All Files, On Read: 260 seconds
  • Scan All Files, On Write: 160 seconds
  • Scan Executables, On Read and On Write: 111 seconds
  • Scan Executables, On Read: 99 seconds
  • Scan Executables, On Write: 95 seconds
  • On-Access Scanning Disabled: 102 seconds

The above tends to suggest that Scanning All Files, On Read is by far the most expensive operation (and probably totally unnecessary). I can't quite comprehend why disabling on-access scanning actually slows down the boot sequence however fractionally fractionally. The final three results are pretty much the same, which means I must use other factors to influence my decision as to selecting Scan Executables, On Read or On Write.

Update:

I did some more tests, on the same virtual machine (at a different time of day, so they can not be compared directly with the above results:

  • Sophos Not Installed: 67.4 seconds (average over 5 tests)
  • Scan Executables, On Read: 84.5 seconds (average over 5 tests)
  • Scan Executables, On Write: 85 seconds (average over 5 tests)

The averaging causes the values for On Read and On Write to converge further, it is interesting to see that using Sophos scan Executable Files only adds a 21% performance overhead over Sophos not being installed.

So what other considerations should I make when configuring On-Access scanning to improve the boot time?

Best Answer

We are currently investigating SOPHOS speed issues and I have come up with the following suggestions which in our winxp sp3 environment has made a fair bit of difference:

  1. Exclude these files at within the On-Access section:

    • c:\windows\system32\authz.dll
    • c:\windows\system32\drivers\srv.sys
    • c:\windows\system32\es.dll
    • c:\windows\system32\netman.dll
    • c:\windows\system32\oakley.dll
    • c:\windows\system32\pstorsvc.dll
    • c:\windows\system32\rasadhlp.dll
    • c:\windows\system32\regsvc.dll
    • c:\windows\system32\winipsec.dll They are startup files and aslong as you have full system scans running at some point, you shuold be fine.

  2. The second thing to do is turn off checking for updates at startup. This is a tiny bit risky as thats a key point for new viruses can attack, but you can combat this by have regular 30 min checks for updates meaning you are never more than half an hour out. To turn of checking for updates do this:

alt text http://www.sophos.com/images/common/misc/27646.gif

After implementing these changes there was a noteable speed increase from power on to desktop.

I hope this helps.

Kip

Related Topic