October 12, 2005
Fixing Sophos and a rant against heavyweight solutions to simple problemsPosted 4031 days ago on October 12, 2005
It drives me wild when anti-virus software causes more problems than it solves.
Here's a case in point. Sophos Small Business Edition (supposedly designed to be easy to administer) running on Windows Small Business Server 2003 - I imagine a common scenario. We notice disk space reducing on drive C. We notice high CPU usage. The culprit is RouterNT.EXE which is the Sophos Message Router. It is grabbing up to 98% CPU with ever-increasing memory requirements ... 50MB ... 100MB ... 300MB ...
So I stop the Message Router service. Although there seems to be no help in the Sophos knowledgebase, I search the Web and find a tip concerning the \Program Files\Sophos\Remote Management Service\Router\Envelopes folder. Apparently this can get overloaded with messages. Indeed it is: over 200,000 messages are sitting there. I delete these and restart the services, which fixes the problem for the moment.
As far as I can tell, the Message Router Service is not fighting viruses as such. Rather, it is part of the admin system which is meant to enable centralized monitoring of all the computers on the network. Delving a bit deeper, it turns out that this is a CORBA application. CORBA is a well respected but unfashionable technology for scaleable distributed applications. Fair enough for an enterprise - but let's remember that this is Small Business Edition, with a maximum of 100 users. Surely there is a simpler way of having client machines report their status back to the server.
I can't shake off a suspicion that this is over-engineered for the purpose. It brings to mind my recent problems with HP's Java Application Server for running a printer utility. The outcome in both cases is the same: lousy performance.
I am also unimpressed by the failure of the Sophos system to detect this error condition. The basic anti-virus engine seems rather good, as these things go, but not the management stuff.
UPDATE This morning I managed to contact Sophos support (after trying repeatedly but failing to get through last night). The problem seems to be related to the Sophos SBE Management Service which apparently fails with a DCOM error following an update to Windows 2003. There is a Knowledgebase article here. Looking in my event log, I had DCOM errors related to smtemlib, the Sophos AutoUpdate service, so I applied the same fix here as well and restarted the service. Without these further fixes, the problem will inevitably re-occur.
Comments are closed
Recent postsUsers plead with Borland to give up .NET
IE7 to be released 18th October,...
If Microsoft doesn't use UAC, why...
Google's unsettling lack of direction
Vista security: now prove it