This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos pulling 532MB of memory to run?

Hi there, 

I am trialling Sophos on our small office network (10 PCs). As our machines are quite old and slow, an important requirement for me is performance. This morning I logged onto my machine and noticed absolutely everything was really sluggish. I opened up task manager and found that Sophos was pulling 532MB of memory! I thought, oh, it might just be scanning. So I opened Sophos itself to check, nope nothing told me it was scanning.

I phoned Sophos support. I spoke to a young lady who first diligently took about 10 minutes in trying to get the correct spelling of my email address and company name. After what seemed to be an eternity she answered with "anything up to 1000MB is normal, so 500MB is normal. There's no problem." But my Sophos isn't scanning anything, "its normal" she said.

QUESTION
Is this true? It's normal for Sophos to hang around idly and suck up 500MB of memory?... is that really normal? I really hope its not otherwise Sophos is not at all for me. If it is not normal, can anyone explain by look at task manager what was consuming my resources?

Regards

Michelle



This thread was automatically locked due to age.
Parents
  • My system also pulling 614mb.  This is Sophos Intercept X Advanced. 

    The most heavy services is

    SavService - 290.3

    SSPService - 117

    SophosFileScanner - 110

    HitmanPro.Alert (AKA Intercept X) - 15.85

    It's incredible how heavy this product is.  

    I may just remove the Advanced part that adds Endpoint Protection and use only Intercept X.  

  • Hi Angel,  I like the sound of your idea.

    Can you (or anyone) please explain what you will loose when you switch off “Endpoint Protection”? And in comparison, what does “Intercept X” do?  

    Also, please can you explain to me how you will go about switching Endpoint Protection off?

  • You would need to uninstall product completely. Reboot,  then install only Intercept X.  

    Choose which Endpoint Protection components you'd like to download option for install package.

    This installs only the Intercept X with Deep learning.  

    You will not have Anti-Malware File Scanning.  The signature based Antivirus engine.  

    Think also these items will not be available.

    Data Loss Prevention
    Web Security
    Peripheral Control
    Application Control

    To me the Intercept X only with Deep Learning is sufficient.  

  • Thanks Angel, that’s a big step forward in my understanding. Can anyone verify this for certain please:-

    ANGEL65 said:
     This installs only the Intercept X with Deep learning.  You will not have Anti-Malware File Scanning.  The signature based Antivirus engine.  Think also these items will not be available.

    Data Loss Prevention
    Web Security
    Peripheral Control
    Application Control

    And with InterceptX only then, I take it then I can’t scan my c:\ (for example) for viruses?  

  • You can still scan with Intercept X.  I believe it's using cloud scanner with Deep Learning.

    Here is difference without Advanced Installed on two of my systems. Notice on Advanced Sophos Antivirus uses 291mb + Web Control/Intelligence running.

    Sophos Intercept X feels nice and light when running.  

    Sophos Intercept X

    HitmanPro Alert 1.9mb
    HitmanPro Alert 13mb
    Sophos Clean 2.3mb
    Sophos EDR 1.8
    Sophos Endpoint Defense 67.9
    Sophos Endpoint Defense 6.0
    Sophos Interface 4.3
    Sophos File Scanner 2.8
    Sophos File Scanner 114
    Sophos File Scanner Service 1.9
    Sophos Health Service 2.0
    Sophos MCS Agent 4.6
    Sophos MCS Agent 3.6
    Sophos Network Threat Protection 8.2
    Sophos Safestore 2.5
    Sophos Update 0.9
    Total - 237.7

    Sophos Intercept X Advanced

    HitmanPro Alert 14.6mb
    Sophos Anti Virus 291.5
    Sophos Admin Service 2.0
    Sophos Clean 2.3mb
    Sophos Device Control 1.3
    Sophos EDR 2.7
    Sophos Endpoint Defense 141.1
    Sophos Endpoint Defense 7.1
    Sophos Interface 3.9
    Sophos File Scanner 3.4
    Sophos File Scanner 131
    Sophos File Scanner Service 2.6
    Sophos Health Service 2.4
    Sophos MCS Agent 7.8
    Sophos MCS Agent 4.8
    Sophos Network Threat Protection 10.6
    Sophos Safestore 2.5
    Sophos Update 1
    Sophos Web Control 2.1
    Sophos Web Intelligence 6.6
    Sophos Web Intelligence 12.9
    Sophos Web Intelligence 1.7
    Total 655.9

    Here is link to Specs - https://www.sophos.com/en-us/products/intercept-x/tech-specs.aspx

    I think Intercept X is what Sophos wants product to be in the future,  Advanced is including the old Endpoint Protection "adding the bloat". If you want full coverage,  keep advanced.  If your like me and hardly get malware and want light solution,  Intercept X is the way to go.  

     

  • Thanks Angel, that list is very useful. I took a while to understand this, but after several conversations with Sophos support, I finally have an understanding. 

    Intercept X Advanced
    = Central Endpoint Protection + Intercept X

    Central Endpoint Protection: is the fundamental and traditional malware protection
    InterceptX: provides protection for unknown and ransomware attacks

     

    And finally, all the features:

  • Hello Michelle99 and ANGEL65,

    Endpoint is the security check, Intercept is the sky marshal - albeit with extra powers. To entertain this analogy further he's capable of resuscitating killed passengers and crew members and countermanding damage to the plane. Arguably there's no need for a security check if the marshal is perfect and invincible. And debatably an adversary who can overwhelm the marshal can also outplay the security check.

    At the moment all vendors of a "next-gen protection" claim that it's highly successful in just-in-time detection and if necessary undoing changes and the extra layer of incredibl[y] heavy classic AV seems redundant - especially when you hardly get malware. Essentially classic AV has to sift through an ever-growing database of mugshots. As with all databases performance suffers if the available memory goes below a certain value.

    Malware writes won't give up and we'll likely see the development of new strategies and more resources will be needed to combat them. Memory isn't actually expensive nowadays, pre-execution scanning might still have its merits.

    Christian

  • Hi been following the thread, good stuff, just wanted to chime in.  I  manage a company with multiple workstation groups.  Meaning different software loads on workstations from graphic designers, customer support to data processing.  I have all of Sophos enabled across the board since many of the aspects will work without the other the overall protection is designed to work together and it is best to fully embrace the security if you can.  Every workstation we have is running an i5 with 8GB RAM and a SSD, even with the higher end software taxing the system more, Sophos plus the software still does not max out the system resources above 80%.  Above I had seen discussions to limit Sophos vs upgrading to 8GB RAM and a SSD, although if this is a must I understand but if you can swing it I would recommend upgrading the RAM and SSD, for the most part if you shop around you can do this for under $80.00.  From a risk stand point, cost vs protection this really is a good deal.

     

    Respectfully, 

     

    Badrobot

     

  • Thanks Christian for great explanation.  I wish it was possible to load the antivirus part of of Endpoint without Device Control or Web Filtering.  Webfiltering is done on my small network by Sophos XG appliance.  I would like a little more control on my devices :)

    I think your product Intercept X is fantastic as with all Sophos products.  

    Can you tell me one thing,  if I run Intercept X only,  isn't the Deep Learning Malware scanner (Sophos File Scanner) or Live Protection still using cloud based "Mugshots"?  If yes then why do I need the classic AV installed?  

Reply
  • Thanks Christian for great explanation.  I wish it was possible to load the antivirus part of of Endpoint without Device Control or Web Filtering.  Webfiltering is done on my small network by Sophos XG appliance.  I would like a little more control on my devices :)

    I think your product Intercept X is fantastic as with all Sophos products.  

    Can you tell me one thing,  if I run Intercept X only,  isn't the Deep Learning Malware scanner (Sophos File Scanner) or Live Protection still using cloud based "Mugshots"?  If yes then why do I need the classic AV installed?  

Children
  • Hello ANGEL65,

    it's not my product, I'm not Sophos. I have no experience with the newfangled cloud-based components. I'm also not an expert, at best I'm a mediator. Might have some comments but I value my weekend and With Monday, likely not before midweek.

    Christian

  • Hello ANGEL65,

    again, just my personal opinion.
    why do I need the classic AV
    as said, Intercept X and its siblings are likely not malware's downfall. It is - and always has been - an arms race. In the early days you could easily identify malware by certain "patterns" (i.e. byte sequences) or its checksum (surprisingly the notion that this is more or less what AV software does and needs to do seems to prevail). Malware was rare and most tools could detect you one (family of) malware. This soon became infeasible - checking a diskette with a dozen of different anti-this-or-that was more than impractical - so "universal" tools emerged that used a list of patterns and checksums. Malware started to modify the checksum of its copies and to hide telltale strings or byte sequences. Thus the task became more complex for the scanners. The next step for malware was polymorphism and server-side polymorphism. As similar techniques are used by legitimate software (e.g. to protect "intellectual property") the risk of false positives increased. Naturally it's more and more appealing to wait for the malware to reveal itself and catch it just before it will cause harm.
    Nevertheless the detection rate of classic AV is still very good: So why not also preventing malware from running or even to get downloaded instead of only waiting for it to exhibit malicious behaviour? cloud based "Mugshots" work if you use them infrequently - or you cache them, IMO they aren't a replacement for a local database. Live Protection is an extra lookup to get the latest information in special cases.
    Even if I no longer need Classic I'd prefer to have two independent layers. BTW - why are you running full scans? Is such a scan (whether classic or cutting-edge) really necessary? What extra protection could you get from it?

    Christian

  • Christian,  thanks for your input.  You seem to be very helpful in this forum :)

    I only run full scan weekly.  Just to double check during off peak hours.   But I have settled on my Sophos Intercept X with Advanced.  Seems to be running nicely and it has great protection.  I have plenty of RAM so I shouldn't worry about it's usage.  Only things I have disabled is web protection "Using Sophos XG" and HIPS.  Feel like HIPS slows down my PC a bit.  Hitmanpro.alert should catch most of the behavior stuff.

    Would you be able to tell me if Windows built in Exploit protection still needs to be turned on?  Intercept X Seems to do all that.  Was reading this document..

      https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophos-intercept-x-dsna.pdf

    Windows has Most of the Exploit Prevention built in.  So isn't both running doing the same checks?

    Enforce Data Execution Prevention

    Mandatory Address Space Layout Randomization

    Bottom-up ASLR

    SEHOP

  • Hello ANGEL65,

    Would you be able to tell me
    I'm afraid, no. I'm not using Intercept X. As I'm not aware of any recommendations I suppose you should simply leave the Windows settings alone.
    But perhaps someone with real knowledge will answer.

    Christian