This article confirms the expected behaviour of Malicious Traffic Detection when it is enabled as part of Sophos Anti Virus for Linux
Applies to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Linux
Central Sophos Anti-Virus for Linux Version 10.4.1
Malicious Traffic Detection
Malicious Traffic Detection (MTD) on Linux server can be a very effective tool and is a valuable feature in many environments. In certain situations though, it can consume a notable amount of CPU time, this means it is not always an appropriate feature to enable.
Although MTD only actually queries packets like TCP, HTTP and HTTPS, and exclusions can be set to ignore data to specific addresses, every single packet needs to be touched to confirm what type of data packet it is or where it is going. This means that making configuration changes to reduce the scan look-ups “may” in some circumstances help a little, there is nothing that can be done to reduce the work load in making that initial scan.
For this reason, systems with a high network presence, like web-servers or file-servers, may experience periods of very high CPU usage as all the network data is touched. Sophos recommends testing the MTD feature on your Linux Servers before rolling it out fully. Note: The CPU peak usage may lag behind the network peaks..
Related information / See also