Computers very slow to open desktop after Enpoint installed (Windows 10)

Hi Julian Cast,

Do you see this slowness issue while booting the computer for the first time or after sleep/ hibernation? Also, do you see any specific task consuming high memory usage?

Also, Checking the startup entries and boot log might shed some more light on this.

Hi,

i disabled the tamper and now i can change Sophos MCS to delayed start but nothing change during the starting of computer.

The difference after the installation of Sophos Endpoint (linked to the central) is big ,when you have the Welcome message of Windows, we can wait 30 secondes (normally, 5 secondes - 10 secondes).

And for your information, we use intercept  X, Encryption. The full services :)

Thank you

Hello, what version of Sophos Intercept X are you running? 2.0.5?

Also, I made these suggestions in another thread to help narrow it down:

---

A useful and very quick test would be to make a drive exclusion for simply:

C:

So under the "Threat Protection" policy for the computer you're testing with set it as follows:

Note: it says (DRIVE).

If you remove scanning load do times improve? At least this way you know it's not just the weight of the services, the SAVService, loading virus data, etc...

You can check the exclusion has made it in a few places at the endpoint but the value OnAccessExcludeFilePaths under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config\ 
is probably the easiest.

If it does help then in theory an exclusion or two might suffice to restore speed.  If nothing else it would be useful info to help further understand the issue.

If it doesn't help, disable the scanning of remote files.
If it still doesn't help disable Tamper Protection for the computer in policy.

These 3 tests help a lot to understand the nature of the issue.

My next test if excluding C: helps, would be try a directory exclusion for say:

C:\windows\

This will cover busy directories as system32, syswow64, WinSxS, Microsoft.NET, etc... and would also be useful.

At that point it might be worth capturing just a boot Process Monitor log with a destructive filter (to improve performance and reduce the log size) for file operations on in C:\windows\.  Once collected, add the Duration column and maybe filter to just readfile, writefile operations.

From there it might narrow it down further.  This would be a fast way to troubleshoot the issue.

Hello, what version of Sophos Intercept X are you running? 2.0.5?

Also, I made these suggestions in another thread to help narrow it down:

---

A useful and very quick test would be to make a drive exclusion for simply:

C:

So under the "Threat Protection" policy for the computer you're testing with set it as follows:

Note: it says (DRIVE).

If you remove scanning load do times improve? At least this way you know it's not just the weight of the services, the SAVService, loading virus data, etc...

You can check the exclusion has made it in a few places at the endpoint but the value OnAccessExcludeFilePaths under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config\ 
is probably the easiest.

If it does help then in theory an exclusion or two might suffice to restore speed.  If nothing else it would be useful info to help further understand the issue.

If it doesn't help, disable the scanning of remote files.
If it still doesn't help disable Tamper Protection for the computer in policy.

These 3 tests help a lot to understand the nature of the issue.

My next test if excluding C: helps, would be try a directory exclusion for say:

C:\windows\

This will cover busy directories as system32, syswow64, WinSxS, Microsoft.NET, etc... and would also be useful.

At that point it might be worth capturing just a boot Process Monitor log with a destructive filter (to improve performance and reduce the log size) for file operations on in C:\windows\.  Once collected, add the Duration column and maybe filter to just readfile, writefile operations.

From there it might narrow it down further.  This would be a fast way to troubleshoot the issue.

Hello,

for the version : 

I try it and keep you inform ! Thank you :)

Re:

I made several test to be more clear :

Normal starting with all services : 31'' to see the desktop after the credential.

Test 1: All disabled in Threat Protection (Added C: to exclusion, disabled remote files , etc) : 31''

Test 2 : All disabled in Web, Application control and peripheral control : 31''

Test 3 : Intercept X disabled : 13 ' !

But we buy and we need intercept X. Is there a solution to increase the startup with it activated? 

Thank you ! :)

I found this : community.sophos.com/.../sophos-endpoint-intercept-x-2-0-impacting-performance---slow

I found this thread. It will be fixed in the next update, good news! But normally this update (Intercept X 2.0.4) is released this month but we are the 31 th :). Is it for the following hours/minutes?? :)

I have 2.0.5.  I think 2.0.5 was re-released shortly after the release of 2.0.4 with a fix making the next version you'll get being 2.0.5.  I'm guessing that may have delayed the roll-out of 2.0.4 to all groups.

I therefore expect you will get 2.0.5 soon.  You could contact Support and be asked to move to a different rollout group if you want the latest version sooner but it should be within a week or two assuming there are no other issues found when rolling 2.0.5 out to more customers.

Regards,
Jak

With the last version 2.0.5, the slow issue is totally fixed? 

I'm sure there are many machine specific reasons why a computer could be slower to start when you add security software.  Clearly one or more reasons have been identified and a change made to 2.0.4/2.0.5.  I'm sure the changes will help and they maybe totally fix your issue but there is a chance there is also another cause for slowness.  I would say the best thing to do at this stage is await 2.0.5 and then re-asses at that point.