There is no supported way to uninstall Windows Defender Antivirus from Windows 10. I verified Windows Defender Antivirus realtime scanning is already disabled. That didn't make any difference in my observations. I stopped the Cisco Umbrella Roaming Client service and verified connectivity to a reliable DNS server (9.9.9.9).
Here's what I have tried so far.Īdded 127.0.0.1 as a Website Exclusion in Sophos Endpoint Threat Protection policy. I would think that what Cisco Umbrella Roaming client could be similar to what Sophos Internet Real-time scanning and both cannot be enabled. If that does not help, I would suggest uninstalling Cisco Umbrella Roaming Client completely (together with disabling Windows Defender) to see if the issue still occurs. Perhaps adding 127.0.0.1 as a Website Exclusion (in your Threat Protection Policy's Scanning Exclusions) also helps? If this application has vendor-recommended A/V exclusions, it is best to include this in your Threat Protection Policy in Sophos. You also mentioned Cisco Umbrella Roaming Client - some features of this may be interacting with Real-time Scanning (Internet) features. Interesting that you mentioned Windows Defender - can you disable this completely and see if the issue persists? Ideally third party AV or scanning applications shouldn't be running alongside each other if they perform similar features, otherwise this may cause performance issues. Other ideas? I have opened a case on this in the past and was asked to enable SWI verbose logging, which then promptly generated a 10 GB+ log file over night and filled the C volume.
We have deployed this software on hundreds of machines and the only machine I have consistently seen the problem with is my own laptop. There is also the built-in Windows Defender Antivirus, which continues to run in the background but is not actively scanning from my understanding.
The only other filtering system on my Windows 10 machine are Cisco Umbrella Roaming Client, which I've tried disabling, and that doesn't make any difference. I'm not sure what I should be looking for if I've determined the delays go away when disabling the Sophos Internet Real Time scanning. I have just run Process Monitor, which I have used many times over the years, but it is like looking for a needle in a haystack typically. The issue disappears as soon as I disable Sophos Endpoint Real Time scanning of "Internet".
There is no apparent resource bottlenecks (RAM, CPU, disk, network). Subsequently, browsing the web site is much faster. It is most apparent when you first load that web site. Firefox will even show "Performing a TLS handshake to " for a second or two or three and sometimes multiple domains depending on the web site. It seems to be most apparent any time an HTTPS connection is being made. The issue I'm seeing is experienced in all browsers (Firefox, Chrome, Edge).