Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 15 subscribers
  • Views 7546 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows updates & sophos Endpoint

Andy Collins1

Apologies if this a duplicate but I cold not find anything via the search.

I was after the steps other admins use when installing monthly windows updates on servers running sophos enpoint.  Although the updates install as expected, CPU usage is always very high with a battle between MS & sophos.  Installation seems to take alot longer than without sophos.

Also when installing Endpoint on a Live production server is it necessary to reboot in order to get everything working as expected?

Any help on the above would be greatly appreciated.



This thread was automatically locked due to age.
Parents
  • +1

    When you install Sophos on the computer from fresh, everything is installed but existing processes may not be fully protected, hence the requirement to ideally restart to get the best protection.

    For example, the HitmanPro component has a driver - hmpalert.sys.  This driver injects the DLL hmpalert.dll into processes as they start for exploit mitigation protection functionality.  Not the anti-ransomware Cryptoguard component, as that work is done in the driver.. As a result after you install, the existing processes aren't protected until they restart.  Many processes therefore remain unprotected from this feature until the computers is restarted. The suggestion has to be to ideally restart.

    As for Windows updates talking longer, I assume you have the journal data recording? You only need one of the following features enabled for journal data recording to be happening: XDR/RCA/FIM.  In which case, all "changes" are recorded to the journals. During a Windows update there is a lot of change taking place, e.g. reg keys, files, etc..  Sophos is having to record all these changes which can be quite intensive.  Then you have the work the SEDService.exe does to compress this new data to the xz files which happens every 5 minutes.  If you have the datalake data going up to the cloud, the the scheduled queries will be creating more data than normal at this time.  It seems hard work to orchestrate disabling features during an update Window, so other than more RAM/CPU, I guess there isn't much that can be done.

    I often see virtual computers provisioned with 4GB RAM and maybe 1 or 2 cores.  This might be just about fine for the role of the server but then you add Sophos which is essentially recording everything that happens on the device and running reports on this data constantly it just needs more resources.  At least an extra 1GB of RAM and another core so it can go about its normal role with something taking notes as it goes.  At least that's how I imagine it.

Reply Children
No Data
Unfiltered HTML