Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 14 subscribers
  • Views 2678 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

High CPU while running Windows Updates

Chandra Chase

We have noticed that while running Windows Updates we have extremely high cpu usage.  It is affecting performance of our servers and workstations.  Is there anything  we can do to avoid this?  We have Sophos Intercept X.  Windows 10.  Server 2012, 2016, 2022. 



This thread was automatically locked due to age.
Parents
  • 0

    Do you have XDR?

    Is the option "Enable Threat Graph creation" in the Threat Protection policy enabled

    What are the values of the Enable DWORD under the following:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\CORE

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\EDR

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\RCA

    For Servers:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\FIM

    I would assume it could be the journal recording.  Are you able to revert and repro the issue, if so, it might be worth performing a test with journal recording enabled to see if that is the cause.

  • 0 in reply to Sophos User930

    We do not have XDR.


    We do have Threat Graph Creation enabled.

    Are you asking me to disable the Threat Graph Creation to see if that fixes it?

  • 0 in reply to Chandra Chase

    Does that mean Enable is set under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\CORE

    and

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\RCA

    If you disable Threat Graph Creation, that should set the value under RCA to 0

    If CORE is set to 1, under the Advanced settings of the Threat Protection policy, there is a "Turn on event logging", if you disable that, the value under CORE will be set to 0.

    Are you able to test a Windows Update with that config, that would prove the slowdown is due to journal recording at least.

  • 0 in reply to Sophos User930

    I Disabled Threat Graph Creation, which made the registry settings.

    CORE - 1

    EDR - 0

    FIM - 1

    RCA - 0

    I am not able to click on the View Advanced Settings where the "Turn on event logging" may be.

  • 0 in reply to Chandra Chase



    FIM is controlled by this policy:

    Toggling this will change the FIM - enable to 1 or 0.  For the test, can you disable it.

    --

    For the advanced setting to be available to change, you have to uncheck this above in the policy:

    This will change the CORE.

    --

    I would suggest creating sperate FIM and Threat Protection policies and link a test server to them to save all servers getting this test policy.

Reply
  • 0 in reply to Chandra Chase



    FIM is controlled by this policy:

    Toggling this will change the FIM - enable to 1 or 0.  For the test, can you disable it.

    --

    For the advanced setting to be available to change, you have to uncheck this above in the policy:

    This will change the CORE.

    --

    I would suggest creating sperate FIM and Threat Protection policies and link a test server to them to save all servers getting this test policy.

Children
No Data
Unfiltered HTML