10.0.3 "Sophos Network Extension" process using 150% CPU

My computer updated to macOS 11.2.1 yesterday and everything seemed fine, then Sophos updated from 10.0.2 to 10.0.3 early this morning. Since the Sophos update, my computer has been experiencing random network data loss. For instance, Microsoft Teams keeps disconnecting, web pages fail to load, etc. These usually only last less than 10 seconds each, but their frequency creates a very high level of frustration.

I noticed that for very long stretches of time (20minutes or more), the Sophos Network Extension is running at 150% CPU usage.

I have all of the components configured to start and I have been running the EAP successfully since the beginning of the program. Today, I had to remove it. The network stability blips and the increased laptop fan usage caused by the high cpu process was too much.

  • Hi Eric. I have a number of SDUs that I generated locally while troubleshooting and testing different configurations. I can provide the ZIP files via PM if you like. I will also generate some process samples for you of the Sophos Network Extension process while it is undergoing exponential memory growth. 

    It's worth noting that at one point in my testing I had the Sophos Network Extension process using 17.94 GB of memory before it crashed. This is notable because my machine only has 16 GB of memory installed, and caused the system to use 8GB of swap to accommodate, which had crushing implications for my other running processes. 

    As for the use of web sockets, my users have many issues using a variety of web services, such as Slack and Google Mail/Drive, whether through a native client or not. This is manifested by the applications repeatedly having to reopen WS connections. See the following two screenshots from the dev console while accessing Slack from Safari. Prior to enabling Malicious Traffic Detection, there was a single, long-lived socket connection. Afterwards, the socket had to continuously respawn, as shown below. 

    Even this support forum isn't immune (though inspection seems to show this as being AJAX polling and not web sockets, but that points to a wider problem I suppose)

    Additionally, our business is a software defined access platform whose local GUI connects to the local daemon over web sockets, and even that gets hammered by Sophos Network Extension even though it's all local machine traffic, We have had a number of customers who also use Sophos, and can confirm that they've had to disable Sophos to resume operations with our client. 

  • It is also a temporary fix. After reboot, it automatically enables the transparent proxy. Face palm

  • I can confirm the exact situation at my end where Sophos is clashing with Zscaler ZPA (VPN like connection). On the previous version, the Web Network Extension was not enabled by restarts but since 10.0.3 we are in this situation... I had to provide my colleagues with the protection passwords so they can uninstall and then re-install back without the culprit. You can imagine the fun and comments on this..... 

  • I'm happy to say that we have identified the issue with the high CPU usage for the Sophos Network Extension process and will be included in our GA release.

    Thank you for all the feedback, it really is appreciated, and we apologize for the inconvenience.

  • Will this fix be available in the current EAP before GA?

  • Unfortunately there won't be an update to the EAP before GA which begins rollout next week at which point both EAP and GA lines will update together. If you can provide us with your updating credentials we can move you into the first rollout group, expected to release on Tue 23rd.

    In the meantime, we can offer a workaround to disable the network extension. In Central amend, or create new, policies to disable:

    • Threat Protection
        • Real-time Scanning - Internet

          • Scan downloads in progress
          • Block access to malicious websites
        • Remediation
          • Enable threat case creation
          • Protect network traffic
    • Web Control
      • Disable Web Control 

    Once the features are disabled rebooting the machine will ensure the network extension is not loaded.

    I understand how frustrating this can be and we really do value your feedback and your patience.

  • Hi David, will this release to GA also update the client on macOS 10.15.x to v10.0.3? or will those Macs stay at v10.0.1?

    Thanks

  • Another question: Is a fix for the VPN issue pending in the GA?

  • I don't understand the reasoning here. The Whole purpose of the EAP is to allow "customers to test the macOS features and functionality with macOS 11 Big Sur." By not patching the EAP, you are releasing untested code to all clients. How are we supposed to test and make sure it is a viable fix?

  • Will the Time Machine issue also be fixed?