One of the recommendations from a recent MS WDRAP was to have a look at anti-virus configurations, in particular the exclusion settings. Microsoft publish a good overview of the various exclusions to configure depending on the services being run on a particular machine:
Of note for student labs for this is the recommendation for SQL boxes. The majority of our student machines run a default 2008 instance with many more running an additional 2008 R2 instance for a piece of software called NVivo. One of the listed documents is designed for PCs in Enterprise environments:
There is one minor gotcha with Sophos exclusions though, see:
It appears that short file names also need to be configured for exclusions alongside the long file names, especially where legacy applications exist (whatever and wherever they are). If you have not configured this properly, the only real problem you will find will be performance issues due to the constant scanning by Sophos.