This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Defence Software - High CPU?

Hi People,

        Recently my laptop's fan is constantly going after a Sophos update. Looking in task manager and sorted by CPU usage, i seen that Sophos Endpoint Defence Software is using between 24 - 30% CPU, whilst using 0.1mb/s - 0.2mb/s disk.  

I'm struggling to work out what is it doing. I've had a quick google and from what i've read, it seems it wouldn't be that resource heavy to achieve that?

Also, I wanted to ask if this expected behaviour or something not right somewhere?

Windows 10  1909

Core Agent - 2.19.6

Endpoint Advanced 10.8.11.1

Sophos Intercept X 2.0.22 

Sophos Endpoint Defense: Frequently Asked Questions (FAQs)

Thanks

Si Box



This thread was automatically locked due to age.
Parents
  • Which service?  Given the grouping it could be 1 of 2:

    Do you have access to Sophos Central to change policy out of interest if needed?

  • I don't have access to Sophos Central. 

    Thanks

  • Without access to Sophos Central to change policy and I assume the computer also has Tamper Protection enabled, you might struggle.

    Do you have a large Security Event log, i.e. C:\Windows\System32\winevt\Logs\Security.evtx?

    I suspect it's related to the EDR component, one of the tasks that service carries out is compressing journal files. 

    Under: "C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\*\"

    Is where SED keeps all the journal files by type.  The current file being written to is a .bin file but these get archived to .xz files.

    If you run Process Monitor (Process Monitor - Windows Sysinternals | Microsoft Docs) as a start with a process name filter for SEDService.exe do you see a lot of file activity under this directory?

  • Security.evtx was 20mb - I've since cleared that. 

    Yes using Process Monitor and filtering SEDService.exe,  I can see lots of ReadFile and WriteFile activity under that directory. 

    I will be able to speak to someone who has access to Sophos Central easy enough. 

    Thanks

  • I have seen people change the retention to 4gb before. 20mb is the default and not an issue.

    if you look at the paths being accessed in Process Monitor. What is the directory name of interest. Process, registry, dns? Do you find it’s always one sub directory underneath the Sophosed directory? This would be helpful to know as it would detail the types of events.

  • There seems to be a loop of directories accessed and a series of (RedFile, WriteFile, QuerystandardInformationFile, QueryBasicInformationFile, QueryNetworkOpenInformationFile, CreateFile,OpenFile) operations for each.....................

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Network\Network-000000004d420346-000000004d4f2be7-132748874228917995-132748910423355662.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Url\Url-000000004d2eb5af-000000004d3c615d-132748802426233681-132748838531876509.bin

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\System\System-000000004b1bf41b-000000004b1bf41b-132737648611846313-132737648611846313.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileDataReads\FileDataReads-000000004c3006be-000000004c306963-132739436713237398-132741789180475632.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileHashes\FileHashes-000000004cc6c9e9-000000004ccb728d-132742782724437241-132742793878015911.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\WinSec\WinSec-000000004e2b339b-000000004e4016d0-132751262426521542-132751299239048327.bin

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Dns\Dns-000000004e63e8c6-000000004e67d3b9-132751424416129952-132751463263512222.bin

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Http\Http-000000004b44cd01-000000004b52ad4d-132738263728203078-132738299572745536.bin

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Ip\Ip-000000004b455a5d-000000004b53a87e-132738264596806290-132738302277244548.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\DirectoryChanges\DirectoryChanges-000000004e5eb62b-000000004e62eb8b-132751374166848394-132751397876779206.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileBinaryChanges\FileBinaryChanges-000000004e5f7502-000000004e62be51-132751378615932768-132751396744613116.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileDataChanges\FileDataChanges-000000004db92b9f-000000004dbd0a14-132749823747675192-132749832797830055.bin

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileProperties\FileProperties-000000004e5e2913-000000004e638afd-132751369895735246-132751422324453762.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileOtherChanges\FileOtherChanges-000000004e7a4cde-000000004e9513af-132753887483021665-132753910760273606.bin

     All operations are file based, no registry mentions.

    Thanks. 

  • I can't tell from that if there are specific journals that are being specially hit a lot.  All I can say from that are all the following are listed:

    Network
    URL
    System
    FileDataReads
    FileHashes
    WinSec
    Dns
    Http
    IP
    DirectoryChanges
    FileBinaryChanges
    FileDataChanges
    FileProperties
    FileOtherChanges

    You might have to ask your Sophos admin to raise a Support request.  If it's becoming an issue you could ask them to disable EDR/RCA in Central for the computer just while it's understood.

  • Ok, thanks for that. 

    Our Sophos admin has raised a ticket.

  • Did you get any response or updates on this? I have been experiencing the same problem for the last couple of days. 

    Ive reduced some of the policies but this seems against the point of Endpoint Protection to me

Reply Children
  • Hi Thomas,

    Our Sophos keeper is meant to be getting a call from Sophos support this week and so i'm waiting on the outcome of that. 

    We think that the issue started when Windows 20H2 was installed. We have one customer who has the new version of Sophos installed and still on Windows 1902 and he doesn't have the high cpu usage issue. SED is using 0-1% on his laptop. 

    We install new Windows version to IT dept before our end users and all IT have this issue. 

    When i compare my C:\ProgramData\Sophos\Endpoint Defense\Logs\sed.log  to the users above, they look at lot different in that mine has a lot of these entries.....

    2021-09-21T09:10:28.875Z SED FileFlt Info [0] Rename blocked \DEVICE\HARDDISKVOLUME4\PROGRAMDATA\SOPHOS\ENDPOINT DEFENSE 3 2 \Device\HarddiskVolume4\ProgramData\Sophos\Endpoint Defense\Logs\seds.log to \Device\HarddiskVolume4\ProgramData\Sophos\Endpoint Defense\Logs\seds1.log System [4:18516]

    And the health.log has similar errors, this time errors in moving a .json file.......

    2021-09-21T09:14:37.781Z [ 5728: 7356] [v2.7.28.0] ERROR Exception: Move from C:\ProgramData\Sophos\Health\Event Store\Incoming\SAV-{A3EFBAA7-492F-4A6E-AD28-7C57937ADE71}.json to C:\ProgramData\Sophos\Health\Event Store\Error\SAV-{A3EFBAA7-492F-4A6E-AD28-7C57937ADE71}.json failed with error: 5

    I'm leaning towards a permission issue or something along them lines. 

    Are them log files similar on your device?

    What version of Windows is installed on your device?

    Once i have an update from our Sophos keeper, i'll update this post. 

    Thanks

  • Thank you for sharing this, Can you also share with us the case ID that has been created for this query for us to help you follow up with it and post updates on this query if available? 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi,

    any updates on this one?
    Did the Sophos Support provide a solution or is there an idea at least?

  • I was able to check in on the support cases we have opened. It looks like this issue is still under investigation.

    As an initial step, could you run the following command and provide the output you get when entered in an "Admin Command Prompt"?
    - fltmc

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi All, The issue is apparently is caused by a conflict with Checkpoint VPN client. My laptop has been rebult using MS VPN instead and the process is now running at a steady 0% - 0.2%. 

    Thanks for for all your suggestions and input. 

    Si

  • I would suspect it was possibly more likely to be the rebuilding of the laptop and re-install. If nothing else you would start with new SED journals. That’s not to say the VPN software wasn’t creating a large number of journaled events but I guess time will tell.

    Thanks for the feedback.