Sophos Endpoint Defence Software - High CPU?

Hi People,

        Recently my laptop's fan is constantly going after a Sophos update. Looking in task manager and sorted by CPU usage, i seen that Sophos Endpoint Defence Software is using between 24 - 30% CPU, whilst using 0.1mb/s - 0.2mb/s disk.  

I'm struggling to work out what is it doing. I've had a quick google and from what i've read, it seems it wouldn't be that resource heavy to achieve that?

Also, I wanted to ask if this expected behaviour or something not right somewhere?

Windows 10  1909

Core Agent - 2.19.6

Endpoint Advanced 10.8.11.1

Sophos Intercept X 2.0.22 

Sophos Endpoint Defense: Frequently Asked Questions (FAQs)

Thanks

Si Box

Parents
  • Which service?  Given the grouping it could be 1 of 2:

    Do you have access to Sophos Central to change policy out of interest if needed?

  • I don't have access to Sophos Central. 

    Thanks

  • There seems to be a loop of directories accessed and a series of (RedFile, WriteFile, QuerystandardInformationFile, QueryBasicInformationFile, QueryNetworkOpenInformationFile, CreateFile,OpenFile) operations for each.....................

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Network\Network-000000004d420346-000000004d4f2be7-132748874228917995-132748910423355662.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Url\Url-000000004d2eb5af-000000004d3c615d-132748802426233681-132748838531876509.bin

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\System\System-000000004b1bf41b-000000004b1bf41b-132737648611846313-132737648611846313.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileDataReads\FileDataReads-000000004c3006be-000000004c306963-132739436713237398-132741789180475632.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileHashes\FileHashes-000000004cc6c9e9-000000004ccb728d-132742782724437241-132742793878015911.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\WinSec\WinSec-000000004e2b339b-000000004e4016d0-132751262426521542-132751299239048327.bin

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Dns\Dns-000000004e63e8c6-000000004e67d3b9-132751424416129952-132751463263512222.bin

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Http\Http-000000004b44cd01-000000004b52ad4d-132738263728203078-132738299572745536.bin

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Ip\Ip-000000004b455a5d-000000004b53a87e-132738264596806290-132738302277244548.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\DirectoryChanges\DirectoryChanges-000000004e5eb62b-000000004e62eb8b-132751374166848394-132751397876779206.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileBinaryChanges\FileBinaryChanges-000000004e5f7502-000000004e62be51-132751378615932768-132751396744613116.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileDataChanges\FileDataChanges-000000004db92b9f-000000004dbd0a14-132749823747675192-132749832797830055.bin

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileProperties\FileProperties-000000004e5e2913-000000004e638afd-132751369895735246-132751422324453762.tmp

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\FileOtherChanges\FileOtherChanges-000000004e7a4cde-000000004e9513af-132753887483021665-132753910760273606.bin

     All operations are file based, no registry mentions.

    Thanks. 

  • I can't tell from that if there are specific journals that are being specially hit a lot.  All I can say from that are all the following are listed:

    Network
    URL
    System
    FileDataReads
    FileHashes
    WinSec
    Dns
    Http
    IP
    DirectoryChanges
    FileBinaryChanges
    FileDataChanges
    FileProperties
    FileOtherChanges

    You might have to ask your Sophos admin to raise a Support request.  If it's becoming an issue you could ask them to disable EDR/RCA in Central for the computer just while it's understood.

  • Ok, thanks for that. 

    Our Sophos admin has raised a ticket.

  • Did you get any response or updates on this? I have been experiencing the same problem for the last couple of days. 

    Ive reduced some of the policies but this seems against the point of Endpoint Protection to me

  • Hi Thomas,

    Our Sophos keeper is meant to be getting a call from Sophos support this week and so i'm waiting on the outcome of that. 

    We think that the issue started when Windows 20H2 was installed. We have one customer who has the new version of Sophos installed and still on Windows 1902 and he doesn't have the high cpu usage issue. SED is using 0-1% on his laptop. 

    We install new Windows version to IT dept before our end users and all IT have this issue. 

    When i compare my C:\ProgramData\Sophos\Endpoint Defense\Logs\sed.log  to the users above, they look at lot different in that mine has a lot of these entries.....

    2021-09-21T09:10:28.875Z SED FileFlt Info [0] Rename blocked \DEVICE\HARDDISKVOLUME4\PROGRAMDATA\SOPHOS\ENDPOINT DEFENSE 3 2 \Device\HarddiskVolume4\ProgramData\Sophos\Endpoint Defense\Logs\seds.log to \Device\HarddiskVolume4\ProgramData\Sophos\Endpoint Defense\Logs\seds1.log System [4:18516]

    And the health.log has similar errors, this time errors in moving a .json file.......

    2021-09-21T09:14:37.781Z [ 5728: 7356] [v2.7.28.0] ERROR Exception: Move from C:\ProgramData\Sophos\Health\Event Store\Incoming\SAV-{A3EFBAA7-492F-4A6E-AD28-7C57937ADE71}.json to C:\ProgramData\Sophos\Health\Event Store\Error\SAV-{A3EFBAA7-492F-4A6E-AD28-7C57937ADE71}.json failed with error: 5

    I'm leaning towards a permission issue or something along them lines. 

    Are them log files similar on your device?

    What version of Windows is installed on your device?

    Once i have an update from our Sophos keeper, i'll update this post. 

    Thanks

  • Thank you for sharing this, Can you also share with us the case ID that has been created for this query for us to help you follow up with it and post updates on this query if available? 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • Hi,

    any updates on this one?
    Did the Sophos Support provide a solution or is there an idea at least?

  • I was able to check in on the support cases we have opened. It looks like this issue is still under investigation.

    As an initial step, could you run the following command and provide the output you get when entered in an "Admin Command Prompt"?
    - fltmc

    Kushal Lakhan
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi All, The issue is apparently is caused by a conflict with Checkpoint VPN client. My laptop has been rebult using MS VPN instead and the process is now running at a steady 0% - 0.2%. 

    Thanks for for all your suggestions and input. 

    Si

  • I would suspect it was possibly more likely to be the rebuilding of the laptop and re-install. If nothing else you would start with new SED journals. That’s not to say the VPN software wasn’t creating a large number of journaled events but I guess time will tell.

    Thanks for the feedback.

Reply
  • I would suspect it was possibly more likely to be the rebuilding of the laptop and re-install. If nothing else you would start with new SED journals. That’s not to say the VPN software wasn’t creating a large number of journaled events but I guess time will tell.

    Thanks for the feedback.

Children
No Data