We have noticed that while running Windows Updates we have extremely high cpu usage. It is affecting performance of our servers and workstations. Is there anything we can do to avoid this? We have Sophos Intercept X. Windows 10. Server 2012, 2016, 2022.
Do you have XDR?
Is the option "Enable Threat Graph creation" in the Threat Protection policy enabled? What are the values of the Enable DWORD under the following:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\COREHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\EDR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\RCA
For Servers:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\FIM
I would assume it could be the journal recording. Are you able to revert and repro the issue, if so, it might be worth performing a test with journal recording enabled to see if that is the cause.
We do not have XDR.
We do have Threat Graph Creation enabled.
Are you asking me to disable the Threat Graph Creation to see if that fixes it?
Does that mean Enable is set under:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\CORE
If you disable Threat Graph Creation, that should set the value under RCA to 0
If CORE is set to 1, under the Advanced settings of the Threat Protection policy, there is a "Turn on event logging", if you disable that, the value under CORE will be set to 0.
Are you able to test a Windows Update with that config, that would prove the slowdown is due to journal recording at least.
I Disabled Threat Graph Creation, which made the registry settings.
CORE - 1
EDR - 0
FIM - 1
RCA - 0
I am not able to click on the View Advanced Settings where the "Turn on event logging" may be.
FIM is controlled by this policy:
Toggling this will change the FIM - enable to 1 or 0. For the test, can you disable it.
For the advanced setting to be available to change, you have to uncheck this above in the policy:
This will change the CORE.
I would suggest creating sperate FIM and Threat Protection policies and link a test server to them to save all servers getting this test policy.