Sophos Network Extension Memory Leak using 32GB of RAM on 11.2.1

  • Feature: Using the mac.
  • Severity: CRITICAL
  • Summary: Computer becoms slow to the point where it is no longer usable. Even the trackpad starts getting delayed.
  • Observed behavior: See attached screenshot
  • Reproduce it: Happens after a while but I can't reproduce it on demand.
  • Frequency: Happened yesterday. I'll see if it happens again.
  • Desired behavior: No memory leak is desired.
  • Environment: MacBook Pro 15" Mid 2015. I'm also using Cloudflare WARP 1.3.113 which routes DNS traffic through it as DOH.
  • Other: Nothing more
  • Supporting logs, tool output etc: Tell me what you need and I will add it.
Parents
  • We have identified the issue with the high CPU usage for the Sophos Network Extension process and will be included in our GA release.

    We would like to confirm that the issue you're seeing is the same issue. Could you please provide an SDU and we can take a look. You can upload this as follows:

    • Go into Central, find the device, and click on the generate SDU button
    • Once the sdu is uploaded, post the file name here so we can extract it and take a look

    In the meantime, we can offer a workaround to disable the network extension. In Central amend, or create new, policies to disable:

    • Threat Protection
        • Real-time Scanning - Internet

          • Scan downloads in progress
          • Block access to malicious websites
        • Remediation
          • Enable threat case creation
        • Runtime Protection
          • Protect network traffic
    • Web Control
      • Disable Web Control 

    Once the features are disabled rebooting the machine will ensure the network extension is not loaded.

    Thank you for all the feedback, it really is appreciated, and we apologize for the inconvenience

  • The new policies to block Sophos from causing a memory leak seem straightforward except under Threat Protection / Remediation there is the option to disable "Enable threat case creation" but the other option is "Automatically clean up malware. See help for exceptions." and not what you said "Protect network traffic."

  • Thanks for the feedback, I've updated the instructions - "protect network traffic" is under "runtime protection"

    • Runtime Protection
      • Protect network traffic
Reply Children
No Data