The Wombelix Post - Anti-Virushttps://dominik.wombacher.cc/2021-05-12T00:00:00+02:00Sophos Anti-Virus for Linux - Hidden On-Access Scan debug option2021-05-12T00:00:00+02:002021-05-12T00:00:00+02:00Dominik Wombachertag:dominik.wombacher.cc,2021-05-12:/posts/sophos-anti-virus-for-linux-hidden-on-access-scan-debug-option.html<!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>I had to learn that it can be quite challenging to troubleshoot performance issues related Sophos Anti-Virus for Linux or to identify paths with high I/O load that might ... <a class="read-more" href="/posts/sophos-anti-virus-for-linux-hidden-on-access-scan-debug-option.html"> [read more]</a></p><!-- SPDX-FileCopyrightText: 2023 Dominik Wombacher <dominik@wombacher.cc> -->
<!-- -->
<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<p>I had to learn that it can be quite challenging to troubleshoot performance issues related Sophos Anti-Virus for Linux or to identify paths with high I/O load that might require an adjusted Policy or even Exclude.</p>
<p>In a Situation were SAV processes generate 100% load on one or more CPU Cores, there is definitely something wrong that need a closer look.</p>
<p>Sophos does provide a lot of config settings but just very limited debug capabilities, at least when you trust the official manual and knowledge base.</p>
<p>But there is a hidden and not public documented config setting to log all On-Access Scan activities. For sure that might generate a huge amount of data and therefore should only activated a limited time during an ongoing troubleshooting session.</p>
<p>Activate:</p>
<pre class="code text literal-block">
/opt/sophos-av/bin/savconfig set OnAccessRecordAllScans enable
systemctl restart sav-protect
</pre>
<p>Log files will be written to <strong>/opt/sophos-av/tmp/</strong>, you should stop <em>sav-protect</em> and copy the logs to another location before deativating the debug mode.</p>
<p>Deactivate:</p>
<pre class="code text literal-block">
/opt/sophos-av/bin/savconfig set OnAccessRecordAllScans disable
systemctl restart sav-protect
</pre>
<p>It would actually be way easier if Sophos would cover such topics in their own documentation.</p>