This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CPU Load very high when doing medium to high bandwidth downloads

Hello,

we noticed very high cpu load when downloading files from the internet and doing speedtest with medium (50-150 MBit/s) and high (150-300  MBit/s) Bandwidth.

On a server  we saw the "Web Intelligence Service" going mad (50%) and on a client we saw sophos net filter consuming a huge amount of CPU (15%-40%). This slows down the operation of the computer.

Is there anything that can be done about this? What is the reason for the different behaviour on Servers and Clients?

Below 50 MBit/s the system behave well ...

Regards,
BF



This thread was automatically locked due to age.
Parents
  • It appears your servers and endpoints are running different versions. Possibly not totally unexpected as the new architecture version is still being rolled out to customers but I would have thought if these computers are managed by the same Sophos Central account then if your account is set to get the new, both servers and clients would have it.

    That being said, Early Access Program clients would have the new architecture. Did the computer with SophosNetFilter.exe belong to the EAP? Maybe if you've enabled controlled updates on servers they are yet to get it?

    In any case, the Sophos Web Intelligence components are part of the SAV component which is removed as part of the new architecture.   Sophos Intercept X for Windows: Product architecture changes. So any problems with Sophos Web Intelligence will be gone soon.

    If web protection or control is enabled, with the new architecture you will have a SophosNetFilter.exe process, the old SAV component had swi_fc.exe performing endpoint web filtering, so you can use this as one method to determine if the new or old web protection/control is in use.

    • New (SophosNetFilter.exe)
    • Old (swi_fc.exe)

    The new version has HTTPS inspection, the old didn't, is that on in policy, that might explain it?

    You can check at the "client" in the registry:

    On:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[revision]\web_protection
    https_decrypt_enabled = 1 

    Off:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[revision]\web_protection
    https_decrypt_enabled = 0

    Where the revision value, is referenced from the latest value under HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection

Reply
  • It appears your servers and endpoints are running different versions. Possibly not totally unexpected as the new architecture version is still being rolled out to customers but I would have thought if these computers are managed by the same Sophos Central account then if your account is set to get the new, both servers and clients would have it.

    That being said, Early Access Program clients would have the new architecture. Did the computer with SophosNetFilter.exe belong to the EAP? Maybe if you've enabled controlled updates on servers they are yet to get it?

    In any case, the Sophos Web Intelligence components are part of the SAV component which is removed as part of the new architecture.   Sophos Intercept X for Windows: Product architecture changes. So any problems with Sophos Web Intelligence will be gone soon.

    If web protection or control is enabled, with the new architecture you will have a SophosNetFilter.exe process, the old SAV component had swi_fc.exe performing endpoint web filtering, so you can use this as one method to determine if the new or old web protection/control is in use.

    • New (SophosNetFilter.exe)
    • Old (swi_fc.exe)

    The new version has HTTPS inspection, the old didn't, is that on in policy, that might explain it?

    You can check at the "client" in the registry:

    On:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[revision]\web_protection
    https_decrypt_enabled = 1 

    Off:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[revision]\web_protection
    https_decrypt_enabled = 0

    Where the revision value, is referenced from the latest value under HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection

Children
No Data