This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

endpoint security on Linux servers causes CPU to spike and application to crash on every update

Has anyone else had problems recently with Linux servers (specifically Amazon Linux 2 EC2 instances running at AWS) having massive CPU spikes on ever SAV update?

We've had multiple production systems fail multiple times a week due to this problem -- it only started in the last month or so though.  We've been using SAV on these instances for years without a problem.

I've tried calling/opening an issue with Support ... but apparently all Sophos engineers are on vacation or something as no one has gotten back to me and the tech-support number for critical issues keeps hanging up on me.   Since I can't get any official support (despite being a 10+ year corporate customer), I hoped someone else in the community might have some insight into this cpu spike problem.

thanks

SAV update occurred at ~12:00pm  ... as you can see our monitoring agent stopped sending data during the spike ... needless to say, this sort of spike causes problems for the application running on the instance as well.   We shouldn't be getting DoS'd by our antivirus software :(



This thread was automatically locked due to age.
  • Hello, 

    Thank you for reaching out to the Sophos Community. 

    If you already have a support case opened with our team, is it possible for you to provide me with the Case ID? If there is logging information already available within the case, I can take a look to investigate further and provide feedback via the support case or on this thread. 

    Let me know if there were any significant changes in terms of what is installed on these Linux systems around the time that this issue became more prevalent, as this could also affect things. 

    An immediate step you could take is to leverage the use of "Controlled Updates" so that you can define when your Linux environment is permitted to update, this way any unexpected interruptions will not occur during business hours. 
    docs.sophos.com/.../server_ControlledUpdates.html

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • thanks for the response.  At the time I wrote the above message, I didn't HAVE a Case ID because I was unable to contact support either by phone or through the portal (I STILL can't use the support portal for some inane reason).   it seems it's now been assigned 04437859.

    And no, there have been no significant changes to what we're running on the affected instances.   The "controlled updates" option is an unacceptable solution -- in part because these systems are processing data 24/7 so there's no such thing as not "during business hours".   And secondly, for security compliance purposes, I need the antivirus software on these servers to be kept up to date.   If I had the option, I'd just get rid of Sophos all together because it's causing me so many headaches... and that may very well be our long-term solution.  But for the moment, I'm stuck with this product, so I'd like to figure out why it's broken this time.

  • Hello,

    Thank you for providing the case ID. I was able to look into the case and found some errors in the talpaselect.log. I suspect as the Kernel running on the AWS EC2 instance is not covered by the pre-compiled talpa binary packs for on-access scanning, you may need to locally compile this. 

    If you were looking to take immediate steps to resolve this, the following KBA can be used. I have also left some notes within the support case that may aid in allowing this process to occur automatically. 
    https://support.sophos.com/support/s/article/KB-000033330?language=en_US

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids