Hello Sophos Community,
my name is David Lorenz and I am a it service provider with many customers. Our customers use Windows Server 2016 and 2019 as a virtual VMware machine.
They use Intercept X Advanced with XDR for Server or Intercept X Essentials.
Montly we install Windows Updates on our customers servers. The problem is that the installation need so much time because of running sophos services with extrem high cpu usage while Windows Update installation process.
Thats the policy configuration:
Do you have a idea what we can do for our customers? Many thanks in advance.
PS. i have already researched on the internet
I just ended my shift and currently don't have access on a windows 2016 server. Here's my first suggestion/example:
Exclude Wsusscan.cab and Wsusscn2.cab via file exclusion:
-> it means…
We experience the same bahaviour since some months
All our 200+ windows servers are cpu dead when installing windows update due to sophos processes consuming all the cpu
So without sophos a monthly windows install takes between 30min and 40 min , with sophos it takes more than 2 hours
We did the exclusions suggested, it doesn't change anything.
Do you guys have a solution for this?
Do you know if it's due to journal recording for the features that require it?
High CPU while running Windows Updates - Discussions - Intercept X Endpoint - Sophos Community
Does that explain it if you can compare a computer with journal recording on and off applying the next update?
i did that to a test server, it doesn't seems to put the values to 0, strange
Can you check the MCSClient.log to ensure the server is "talking" to Sophos Central OK:
C:\ProgramData\Sophos\Management Communication System\Endpoint\Logs\
i did restart the server, all but the RCA is at 0, i can test then?
I have 2 servers which are exactly the same, one with and one without the policy, i can then launchr sur wupdate at the same time
They all need to be 0 for journal recording to be off.
did you turn off threat graph creation?
for sure i didn't, damned
the test are in progress, will let you know how it goes, tx
So here's the facts
3 vm, all with 2 vcpu, same ram, same disk speed
for the 3 i installed the win2019 june security update
Server 1 with core & fim at 1 -> 79 min to update
Server 2 with only rca at 1 -> 53 min to update
Server 3 with all at 0 -> 49 min to update
So it seems there's clearly something here?
Can i turn that off for both servers and ws at your opinion?
trying one wn with core to 1 and fim to 0
41 min to update
So it seems FIM is the source of the issue here, is it safe to disable this at your opinion?
or maybe it is possible to exclude something from the fim for the windows update sequence?
FIM is all about creating an audit of what is changing on the computer, it might be worth a look at:
If you're not really making use of the exported data it probably isn't something you need.