We have been using Sophos intercept x advanced with MTR for about 6 weeks. Since then, our bandwidth has dropped 90%. We use a gigabit internet connection and have previously achieved the following values in a speed test in the browser: Down: 900MB/s Up: 800MB/s
Now, if we're lucky, we'll get Down: 60MB/s Up: 300MB/s.
We found out that it is due to the following settings:
If these settings are deactivated, we have full bandwidth when surfing again. But we don't want to leave them disabled.
This is not a condition, the support from Sophos is not getting anywhere either. We expected more...here are the screenshots from the speedtest:deactivated settings:activated settings:
Assuming all features are initially enabled, if you disable in the client UI the option: "Network Threat Protection":
...the SophosIPS.exe and SophosNetFilter.exe processes, which are child processes of the "Sophos Network Threat Protection" service as shown below exit:
If you disable "Internet" AND "Web Control" at the client with "Network Threat Protection":
The "SophosNetFilter.exe" process exits but the SophosIPS.exe process continues (assuming IPS is enabled in policy)
I guess I'm trying to say that disabling "Network Threat Protection", performs the same action as disabling "Internet" and "Web Control".
I suspect your problem goes away when the SophosNetFilter.exe process exits?
This can be achieved by either disabling "Web Control" AND "Internet" OR disabling "Network Threat Protection".
Can you confirm that only disabling "Web Control" and "Internet" is required?
The next question is, do you have HTTPS inspection enabled? Is https_decrypt_enabled under:
set to 1 or 0?
If you disable decryption in policy from Central does the speed return?
I can confirm that deactivating Web Control + Internet improves download and upload speed. Https encryption is disabled by default.
for a given site that is noticeably slower with the features enabled, out of interest, does it help to exclude the domain(s) as website type exclusions in either the global exclusions or in a specific threat protection policy? This would also narrow things down.
Exclusions of for example nperf.com makes no different. But your right with this: Web Control" AND "Internet" OR disabling "Network Threat Protection". If we deactivate only Network Threat Protection we have fullspeed.
I can not imagine that we are the first customer with this problem. We have quite a few applications running through a browser, if we don't fix this we'll have to consider a return from Sophos.
Yes. That’s what I expected. Web protection and control are sub-features of the Network Threat Protection component. If you disable the parent it disables the the child features. So you should equally be able to leave Network threat protection enabled and just disable web protection and control to restore speed.
Interesting about the exclusions. I suppose that suggests it’s the overhead is not scanning or lookups but the change in process flow.
Disabling it is not a solution, as employees will then no longer be warned about malicious websites.
I’m not suggesting that. Just trying to narrow down the specific feature within the NTP component. I think this is one for Support/Dev.