Tim Anderson's ITWriting [Valid RSS]

Tech writing blog

Blog Home RSS Archives ITWriting.com
Add to Feedburner Add to Bloglines Add to Newsgator Add to My Yahoo

October 12, 2005

Fixing Sophos and a rant against heavyweight solutions to simple problems

Posted 3299 days ago on October 12, 2005

It drives me wild when anti-virus software causes more problems than it solves.

Here's a case in point. Sophos Small Business Edition (supposedly designed to be easy to administer) running on Windows Small Business Server 2003 - I imagine a common scenario. We notice disk space reducing on drive C. We notice high CPU usage. The culprit is RouterNT.EXE which is the Sophos Message Router. It is grabbing up to 98% CPU with ever-increasing memory requirements ... 50MB ... 100MB ... 300MB ...

So I stop the Message Router service. Although there seems to be no help in the Sophos knowledgebase, I search the Web and find a tip concerning the \Program Files\Sophos\Remote Management Service\Router\Envelopes folder. Apparently this can get overloaded with messages. Indeed it is: over 200,000 messages are sitting there. I delete these and restart the services, which fixes the problem for the moment.

As far as I can tell, the Message Router Service is not fighting viruses as such. Rather, it is part of the admin system which is meant to enable centralized monitoring of all the computers on the network. Delving a bit deeper, it turns out that this is a CORBA application. CORBA is a well respected but unfashionable technology for scaleable distributed applications. Fair enough for an enterprise - but let's remember that this is Small Business Edition, with a maximum of 100 users. Surely there is a simpler way of having client machines report their status back to the server.

I can't shake off a suspicion that this is over-engineered for the purpose. It brings to mind my recent problems with HP's Java Application Server for running a printer utility. The outcome in both cases is the same: lousy performance.

I am also unimpressed by the failure of the Sophos system to detect this error condition. The basic anti-virus engine seems rather good, as these things go, but not the management stuff.

UPDATE This morning I managed to contact Sophos support (after trying repeatedly but failing to get through last night). The problem seems to be related to the Sophos SBE Management Service which apparently fails with a DCOM error following an update to Windows 2003. There is a Knowledgebase article here. Looking in my event log, I had DCOM errors related to smtemlib, the Sophos AutoUpdate service, so I applied the same fix here as well and restarted the service. Without these further fixes, the problem will inevitably re-occur.



Re: Fixing Sophos and a rant against heavyweight solutions to simple problems

Posted 2910 days ago by Jonathan Smith • • • Reply

I have this exact problem, but I do not have the DCOM errors in my event logs. RouterNT.exe is out of control, as it takes all the available CPU cycles and brings everything to a halt.

Re: Fixing Sophos and a rant against heavyweight solutions to simple problems

Posted 2685 days ago by Anonymous • • • Reply

Ive seen that problem but only after we retired the previous Sophos server and machines that were still pointing to the retire sophos machine would max out the cpu.

Re: Fixing Sophos and a rant against heavyweight solutions to simple problems

Posted 2628 days ago by Mike • • • Reply

100% UNACCEPTABLE for a software package that aspires to sit in such a critical role.
100% Fixable, at a relatively insignificant cost to Sophos!
Why don't you fix this TODAY Sophos?!

Re: Fixing Sophos and a rant against heavyweight solutions to simple problems

Posted 1715 days ago by Bernardo • • wwwReply

I have the same problem at my place of employment. RouterNT.exe starts out normal after a reboot of the machine (which happens to be a Windows 2003 terminal server), then progressively chews up more and more resources over time. Within two or three days, it becomes nearly impossible to do anything other than a hard reset. If I'm lucky enough to be able to log into the console, I stop the routerNT.exe task to get temporary relief.

However, I'm not getting the build-up of messages, nor DCOM errors, and there's no help on the Sophos knowledge base that I can find.

I'm going to uninstall the Remote Management component of Sophos on this machine and just leave the anti-virus installed. Hopefully that will solve the issue and won't reinstall itself automatically.

I agree with the 100% unacceptable comment - I'm about ready to look elsewhere for enterprise anti-virus.

Re: Fixing Sophos and a rant against heavyweight solutions to simple problems

Posted 1257 days ago by Mike • • • Reply

This problem continues to be an issue in Sophos Endpoint Security and Control ver. 9.7 on Windows 2003 Terminal Servers.
Come on Sophos, you have a great product you need to get this fixed.


Comments are closed

Recent posts

Users plead with Borland to give up .NET
IE7 to be released 18th October,...
If Microsoft doesn't use UAC, why...
Google's unsettling lack of direction
Vista security: now prove it


Powered by bBlog