CPU Load very high when doing medium to high bandwidth downloads

Hello,

we noticed very high cpu load when downloading files from the internet and doing speedtest with medium (50-150 MBit/s) and high (150-300  MBit/s) Bandwidth.

On a server  we saw the "Web Intelligence Service" going mad (50%) and on a client we saw sophos net filter consuming a huge amount of CPU (15%-40%). This slows down the operation of the computer.

Is there anything that can be done about this? What is the reason for the different behaviour on Servers and Clients?

Below 50 MBit/s the system behave well ...

Regards,
BF

  • It appears your servers and endpoints are running different versions. Possibly not totally unexpected as the new architecture version is still being rolled out to customers but I would have thought if these computers are managed by the same Sophos Central account then if your account is set to get the new, both servers and clients would have it.

    That being said, Early Access Program clients would have the new architecture. Did the computer with SophosNetFilter.exe belong to the EAP? Maybe if you've enabled controlled updates on servers they are yet to get it?

    In any case, the Sophos Web Intelligence components are part of the SAV component which is removed as part of the new architecture.   Sophos Intercept X for Windows: Product architecture changes. So any problems with Sophos Web Intelligence will be gone soon.

    If web protection or control is enabled, with the new architecture you will have a SophosNetFilter.exe process, the old SAV component had swi_fc.exe performing endpoint web filtering, so you can use this as one method to determine if the new or old web protection/control is in use.

    • New (SophosNetFilter.exe)
    • Old (swi_fc.exe)

    The new version has HTTPS inspection, the old didn't, is that on in policy, that might explain it?

    You can check at the "client" in the registry:

    On:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[revision]\web_protection
    https_decrypt_enabled = 1 

    Off:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[revision]\web_protection
    https_decrypt_enabled = 0

    Where the revision value, is referenced from the latest value under HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection

  • Have the same problem.

    Three customers with new Agent (2.20.13) and the CPU Load exploded.
    All are using either terminal servers or virtual desktops.

    opened a support call, waiting for ideas

    -----------------------------------
    UTM Certified Engineer
    XG Certified Architect
    Central Certified Architect

    Sophos Gold Partner