Sophos Endpoint Defence Software - High CPU?

Hi People,

        Recently my laptop's fan is constantly going after a Sophos update. Looking in task manager and sorted by CPU usage, i seen that Sophos Endpoint Defence Software is using between 24 - 30% CPU, whilst using 0.1mb/s - 0.2mb/s disk.  

I'm struggling to work out what is it doing. I've had a quick google and from what i've read, it seems it wouldn't be that resource heavy to achieve that?

Also, I wanted to ask if this expected behaviour or something not right somewhere?

Windows 10  1909

Core Agent - 2.19.6

Endpoint Advanced 10.8.11.1

Sophos Intercept X 2.0.22 

Sophos Endpoint Defense: Frequently Asked Questions (FAQs)

Thanks

Si Box

Parents
  • Which service?  Given the grouping it could be 1 of 2:

    Do you have access to Sophos Central to change policy out of interest if needed?

  • I don't have access to Sophos Central. 

    Thanks

  • Without access to Sophos Central to change policy and I assume the computer also has Tamper Protection enabled, you might struggle.

    Do you have a large Security Event log, i.e. C:\Windows\System32\winevt\Logs\Security.evtx?

    I suspect it's related to the EDR component, one of the tasks that service carries out is compressing journal files. 

    Under: "C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\*\"

    Is where SED keeps all the journal files by type.  The current file being written to is a .bin file but these get archived to .xz files.

    If you run Process Monitor (Process Monitor - Windows Sysinternals | Microsoft Docs) as a start with a process name filter for SEDService.exe do you see a lot of file activity under this directory?

  • Security.evtx was 20mb - I've since cleared that. 

    Yes using Process Monitor and filtering SEDService.exe,  I can see lots of ReadFile and WriteFile activity under that directory. 

    I will be able to speak to someone who has access to Sophos Central easy enough. 

    Thanks

  • I have seen people change the retention to 4gb before. 20mb is the default and not an issue.

    if you look at the paths being accessed in Process Monitor. What is the directory name of interest. Process, registry, dns? Do you find it’s always one sub directory underneath the Sophosed directory? This would be helpful to know as it would detail the types of events.

  • There seems to be a loop of directories accessed and a series of (RedFile, WriteFile, QuerystandardInformationFile, QueryBasicInformationFile, QueryNetworkOpenInformationFile, CreateFile,OpenFile) operations for each.....................

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Network\Network-000000004d420346-000000004d4f2be7-132748874228917995-132748910423355662.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Url\Url-000000004d2eb5af-000000004d3c615d-132748802426233681-132748838531876509.bin

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\System\System-000000004b1bf41b-000000004b1bf41b-132737648611846313-132737648611846313.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileDataReads\FileDataReads-000000004c3006be-000000004c306963-132739436713237398-132741789180475632.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileHashes\FileHashes-000000004cc6c9e9-000000004ccb728d-132742782724437241-132742793878015911.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\WinSec\WinSec-000000004e2b339b-000000004e4016d0-132751262426521542-132751299239048327.bin

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Dns\Dns-000000004e63e8c6-000000004e67d3b9-132751424416129952-132751463263512222.bin

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Http\Http-000000004b44cd01-000000004b52ad4d-132738263728203078-132738299572745536.bin

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Ip\Ip-000000004b455a5d-000000004b53a87e-132738264596806290-132738302277244548.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\DirectoryChanges\DirectoryChanges-000000004e5eb62b-000000004e62eb8b-132751374166848394-132751397876779206.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileBinaryChanges\FileBinaryChanges-000000004e5f7502-000000004e62be51-132751378615932768-132751396744613116.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileDataChanges\FileDataChanges-000000004db92b9f-000000004dbd0a14-132749823747675192-132749832797830055.bin

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileProperties\FileProperties-000000004e5e2913-000000004e638afd-132751369895735246-132751422324453762.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileOtherChanges\FileOtherChanges-000000004e7a4cde-000000004e9513af-132753887483021665-132753910760273606.bin

     All operations are file based, no registry mentions.

    Thanks. 

  • I can't tell from that if there are specific journals that are being specially hit a lot.  All I can say from that are all the following are listed:

    Network
    URL
    System
    FileDataReads
    FileHashes
    WinSec
    Dns
    Http
    IP
    DirectoryChanges
    FileBinaryChanges
    FileDataChanges
    FileProperties
    FileOtherChanges

    You might have to ask your Sophos admin to raise a Support request.  If it's becoming an issue you could ask them to disable EDR/RCA in Central for the computer just while it's understood.

  • Ok, thanks for that. 

    Our Sophos admin has raised a ticket.

Reply Children
  • Did you get any response or updates on this? I have been experiencing the same problem for the last couple of days. 

    Ive reduced some of the policies but this seems against the point of Endpoint Protection to me

  • Hi Thomas,

    Our Sophos keeper is meant to be getting a call from Sophos support this week and so i'm waiting on the outcome of that. 

    We think that the issue started when Windows 20H2 was installed. We have one customer who has the new version of Sophos installed and still on Windows 1902 and he doesn't have the high cpu usage issue. SED is using 0-1% on his laptop. 

    We install new Windows version to IT dept before our end users and all IT have this issue. 

    When i compare my C:\ProgramData\Sophos\Endpoint Defense\Logs\sed.log  to the users above, they look at lot different in that mine has a lot of these entries.....

    2021-09-21T09:10:28.875Z SED FileFlt Info [0] Rename blocked \DEVICE\HARDDISKVOLUME4\PROGRAMDATA\SOPHOS\ENDPOINT DEFENSE 3 2 \Device\HarddiskVolume4\ProgramData\Sophos\Endpoint Defense\Logs\seds.log to \Device\HarddiskVolume4\ProgramData\Sophos\Endpoint Defense\Logs\seds1.log System [4:18516]

    And the health.log has similar errors, this time errors in moving a .json file.......

    2021-09-21T09:14:37.781Z [ 5728: 7356] [v2.7.28.0] ERROR Exception: Move from C:\ProgramData\Sophos\Health\Event Store\Incoming\SAV-{A3EFBAA7-492F-4A6E-AD28-7C57937ADE71}.json to C:\ProgramData\Sophos\Health\Event Store\Error\SAV-{A3EFBAA7-492F-4A6E-AD28-7C57937ADE71}.json failed with error: 5

    I'm leaning towards a permission issue or something along them lines. 

    Are them log files similar on your device?

    What version of Windows is installed on your device?

    Once i have an update from our Sophos keeper, i'll update this post. 

    Thanks

  • Thank you for sharing this, Can you also share with us the case ID that has been created for this query for us to help you follow up with it and post updates on this query if available? 

    GlennSen 
    Global Community Support Engineer | Global Community Team
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.