Hello Sophos Community,
my name is David Lorenz and I am a it service provider with many customers. Our customers use Windows Server 2016 and 2019 as a virtual VMware machine.
They use Intercept X Advanced with XDR for Server or Intercept X Essentials.
Montly we install Windows Updates on our customers servers. The problem is that the installation need so much time because of running sophos services with extrem high cpu usage while Windows Update installation process.
Thats the policy configuration:
Do you have a idea what we can do for our customers? Many thanks in advance.
PS. i have already researched on the internet
Hi David,
I just ended my shift and currently don't have access on a windows 2016 server. Here's my first suggestion/example:
Exclude Wsusscan.cab and Wsusscn2.cab via file exclusion:
-> it means…
Please open this link:
support.sophos.com/.../KB-000033519
-> check the "Windows Server Update Services (WSUS)" part of the KB, have you tried the recommended exclusions already?
Regards,
Fernan Tutor
If this post solves your question, please use the "Verify Answer" button.
Hi Fernan,
thank you for your help. I dont understand what i have to do with the Wsusscn2.cab? How i have to add this exclusion?
I hope you can help me with that. The microsoft article is not exactly helpful :) ...
Thanks in advance.
-> it means sophos won't scan any files named Wsusscan.cab and Wsusscn2.cab anymore. You can do this in your sophos central>global settings>global exclusion OR by going in server protection>policies>threat protection policy.
The other thing I highly recommend is search where those 2 files are located then put scanning exclusion on their location.
Example: if the files are inside C:\test folder
Then do exclusion like this in files and folder exclusion: C:\test\
okay. I would have done this exactly the same way and I will test this next time. Thank you.
It will be interesting to see the new architecture version of the endpoint on the computer. I.e the version without SAV and therefore savservice.exe. You can opt into the EAP on a computer to get it and see how that behaves.
If you create a new trial. You get the new version by default and it’s slowly rolling out to everyone.
support.sophos.com/.../KB-000043550
Hello Sophos User930,
thank you for your awnser. We will test this in the next weeks.
are the servers in lockdown mode?
Hello LHerzog,
no. We dont use the lockdown feature.
Do you have a other idea?
unfortunately not.
Updates on Server 2016 have always been painfully slow.
We're also seeing load caused by Sophos during updates but did not find it problematic so far. we have no special exclusions for the WU files. settings are the same as yours. Using Server 2012R2-2022 OS.