High CPU Usage on Windows Server while Windows Update installing

Hello

We experience the same bahaviour since some months

All our 200+ windows servers are cpu dead when installing windows update due to sophos processes consuming all the cpu

So without sophos a monthly windows install takes between 30min and 40 min , with sophos it takes more than 2 hours

We did the exclusions suggested, it doesn't change anything.

Do you guys have a solution for this?

Tx

Do you know if it's due to journal recording for the features that require it?

High CPU while running Windows Updates - Discussions - Intercept X Endpoint - Sophos Community

Does that explain it if you can compare a computer with journal recording on and off applying the next update?

I've no idea, but i'll take a look tx

So the journalising key are the following

CORE enable at 1

EDR enable at 0

FIM enable at 1

RCA enable at 0

What do you suggest? put all at 0? is there something i can do from the console sophos?

Tx

There is a file integrity policy, If you create a new one of those and assign just a test computer to it and disable it.  When the client gets the policy it will change the FIM value to 0.

As for CORE, you could do the same with a threat protection policy, i.e. create a new Threat Protection policy and link the test server.  If you edit that policy, there is an advanced section.  If you expand that there is Event logging option.  If you disable that, when the computer gets the policy, the CORE value will set to 0.

At this point all 4 should be 0 and journal recording will be off.  If you can test an update for performance in this scenario it would be interesting. 

There is a file integrity policy, If you create a new one of those and assign just a test computer to it and disable it.  When the client gets the policy it will change the FIM value to 0.

As for CORE, you could do the same with a threat protection policy, i.e. create a new Threat Protection policy and link the test server.  If you edit that policy, there is an advanced section.  If you expand that there is Event logging option.  If you disable that, when the computer gets the policy, the CORE value will set to 0.

At this point all 4 should be 0 and journal recording will be off.  If you can test an update for performance in this scenario it would be interesting. 

Thank you

Can't i just get one machine and put all the 4 manually and directly update? You think it will be changed directly by the policy?

if you make 2 test policies and link them to the test server it will get those settings in less than 1 minute.

i'll do that in 10, let you know how it goes

i did that to a test server, it doesn't seems to put the values to 0, strange

Can you check the MCSClient.log to ensure the server is "talking" to Sophos Central OK:

• C:\ProgramData\Sophos\Management Communication System\Endpoint\Logs\

i did restart the server, all but the RCA is at 0, i can test then?

I have 2 servers which are exactly the same, one with and one without the policy, i can then launchr sur wupdate at the same time

They all need to be 0 for journal recording to be off.

did you turn off threat graph creation?

for sure i didn't, damned

the test are in progress, will let you know how it goes, tx

So here's the facts

3 vm, all with 2 vcpu, same ram, same disk speed

for the 3 i installed the win2019 june security update

Server 1 with core & fim at 1 -> 79 min to update

Server 2 with only rca at 1 -> 53 min to update

Server 3 with all at 0 -> 49 min to update

So it seems there's clearly something here?

Can i turn that off for both servers and ws at your opinion?

Tx