Thread Info
  • State Not Answered
  • +5 person also asked this people also asked this
  • Replies 32 replies
  • Subscribers 24 subscribers
  • Views 37928 views
  • Users 0 members are here
Options
Suggested

10.0.3 "Sophos Network Extension" process using 150% CPU

mscottblake

My computer updated to macOS 11.2.1 yesterday and everything seemed fine, then Sophos updated from 10.0.2 to 10.0.3 early this morning. Since the Sophos update, my computer has been experiencing random network data loss. For instance, Microsoft Teams keeps disconnecting, web pages fail to load, etc. These usually only last less than 10 seconds each, but their frequency creates a very high level of frustration.

I noticed that for very long stretches of time (20minutes or more), the Sophos Network Extension is running at 150% CPU usage.

I have all of the components configured to start and I have been running the EAP successfully since the beginning of the program. Today, I had to remove it. The network stability blips and the increased laptop fan usage caused by the high cpu process was too much.

  • 0 in reply to mscottblake

    It is also a temporary fix. After reboot, it automatically enables the transparent proxy. Face palm

  • 0 in reply to Eric Keung

    Hi Eric. I have a number of SDUs that I generated locally while troubleshooting and testing different configurations. I can provide the ZIP files via PM if you like. I will also generate some process samples for you of the Sophos Network Extension process while it is undergoing exponential memory growth. 

    It's worth noting that at one point in my testing I had the Sophos Network Extension process using 17.94 GB of memory before it crashed. This is notable because my machine only has 16 GB of memory installed, and caused the system to use 8GB of swap to accommodate, which had crushing implications for my other running processes. 

    As for the use of web sockets, my users have many issues using a variety of web services, such as Slack and Google Mail/Drive, whether through a native client or not. This is manifested by the applications repeatedly having to reopen WS connections. See the following two screenshots from the dev console while accessing Slack from Safari. Prior to enabling Malicious Traffic Detection, there was a single, long-lived socket connection. Afterwards, the socket had to continuously respawn, as shown below. 

    Even this support forum isn't immune (though inspection seems to show this as being AJAX polling and not web sockets, but that points to a wider problem I suppose)

    Additionally, our business is a software defined access platform whose local GUI connects to the local daemon over web sockets, and even that gets hammered by Sophos Network Extension even though it's all local machine traffic, We have had a number of customers who also use Sophos, and can confirm that they've had to disable Sophos to resume operations with our client. 

  • 0 in reply to mscottblake

    Hi mscottblake and Craine Runton,

    Sorry to hear that you're having trouble. What issues are you seeing with web socket based communications? We would like to investigate the issue more, could you please provide a SDU from the affected machine? We would also like a sample of the affected process when the issue occurs.

    To create a sample:

    • Go into Activity Monitor, and double click on the affected process taking CPU usage (i.e.: Sophos Network Extension).
    • Click on sample button
    • Please private message me and attach the sample’s output text file

    Please also provide an SDU from the affected machine by following these steps:

    Thanks for your feedback.

  • 0 in reply to Meat

    This works because you are not granting the Network Extension permission. This may be a workaround for some, but many organizations (such as my own) pre-approve that dialog and therefore cannot disable the feature.

  • 0

    Add another one to the list.

    Here it is resetting connections to our VPN

  • 0

    In my case, my VPN connection kept "randomly" disconnecting.
    My workaround was to remove my computer from EAP, run Sophos update and confirm downgrade to 10.0.1, then reenroll my computer in EAP, run Sophos update to get 10.0.3 but decline the Transparent Proxy request. 
    Rock solid since then.

  • 0

    Also finding those processes mentioned at sustained high CPU usage after 10.0.3 installed on my macOS 11.2.1 updated laptop. Seems to seriously interfere with VPN connections. When trying to connect I now intermittently get disconnected with "Protocol wrong type for socket" errors. also random web pages failing to load. I won't be able to keep Sophos if i hope to get any work done. Still holding back our fleet of Macs to macOS Catalina because of Sophos.


  • 0 in reply to Craine Runton

    This appears to be the same experience I am having. I did not notice the memory leak until you pointed it out.

    It turns out that in my case, the Network Extension eventually consumes all available memory and once it does, the process crashes. It eventually restarts and begins spiking the cpu and consumes all of the available memory until it crashes again. This is that loop I referred to in my original post where it would go for 20 minutes or more and then stop.

  • 0

    We are seeing the same issue across our entire fleet. After the update to 10.0.3 that was applied this morning, we are seeing CPU usage from the Sophos Network Extension reaching greater than 100%, and memory usage skyrocketing in some cases consuming all available memory, and then the process crashing. 

    We are also seeing significant issues with web socket based communications. As a result we've had to disable Endpoint Protection and InterceptX across our entire fleet. 

  • 0

    Yes, I'm also seeing this issue.  I think I started having this issue yesterday, but it may have been earlier.  I'm also seeing frequent drops within the AnyConnect client now.

Unfiltered HTML