We have identified a slow memory leak on servers that have Sophos installed. We have used Task Manager, ProcMon, Process Explorer, Vmmap and RamMap to try to isolate and identify the process(es) that is consuming the nonpaged pool of memory. So far our diagnostics have not given us any indication at all about what is consuming and not releasing the nonpaged pool.
We have restarted all Sophos processes that can be restarted and it did not free up any of the nonpaged pool. Three Sophos processes are unable to be restarted (access denied), so we have no way to tell if they are holding on to the nonpaged pool.
We have turned off tamper protection in Sophos and disabled all features and it did not free up any of the nonpaged pool.
Five identical servers had Sophos installed and were having issues with the memory leak. We removed Sophos from one server and it is functioning normally now, while the other 4 continue to have the issue. We have done the same thing with two other pairs of identical servers and we have had identical results. Removing Sophos clears up the slow memory leak. Installing Sophos on the servers causes the memory leak to return.
On servers that become non-responsive due to the memory leak, the only solution has been to do a hard-reboot, which clears the nonpaged pool until the leak fills it back up again.
When viewing task manager, the memory consumed by the list of processes does not add up to the total memory usage. The culprit is the massive amount of Nonpaged Kernel Memory that is being consumed.
These servers are running the latest version of Sophos.
This thread was automatically locked due to age.
