This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint slow down internet speed

Hello,

We got a dedicated optical fiber 1gb Down/up .

With the endpoint installed, the speed download seems to be block around around 150 to 300 mb/s. Upload is correct.

IF i uninstall it, then the speed go back to normal with around 900 mb/s. Tests are made through NPERF. 

I tried a to play with settings on sophos central but none of them seems to make it work normally.

Does someone experiencing this issue or does know how to fix it ?


Note: Please see the following Blog Post for the latest update regarding this issue



This thread was automatically locked due to age.
Parents
  • same issue here.... 200mbs download reduced to 50mbs, but upload is not effected

  • Hello, out of interest, how do you check the speed?  Do you use a specific site or app?

    For example, what does Internet Speed Test | Fast.com give you in the way of results with and without the internet scanning and web control feature on? Essentially if the process SophosNetFilter.exe is running or is not running. 

    If SophosNetFilter.exe process is running, at least one of the web protection/control features is active.  If it's not running, then all web protection/control is off. 

    Additionally, download reputation feature can still be on, that is a scan post download for browsers that support IOfficeAntiVirus interfaces, such as Chrome, Edge but not Firefox.

    Also, do you have SSL/TLS decryption of HTTPS websites enabled or disabled?

    To check on the endpoint, the value of https_decrypt_enabled under the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[latest]\web_protection

    will be 1 to be enabled and 0 to be disabled.

    Thanks.

  • im using speedtest.net - which I heard is more accurate than Fast.com. Fast.com gives a much higher value. 

    On Speedtes.com  I tested two machines on the same home network ethernet port. One was 200mbs, one was 50mbs . 

  • I'm also experiencing the same issues with a dedicated 1 GIG internet connection.  if i disable Network Threat protection speeds are 800 d 800 u.  When the setting is on like 100 d 600 u.  Whats the fix ?

  • this has been going on since Octobernot any time soon unfortunately (i think!) 

  • What’s the work around you’ve made, it’s really causing issues on our end.  

  • Hi Tom,

    I suppose, one test would be to use the Microsoft store app from Speedtest and compare that against the browser site.

    The web protection/control feature, which we assume is causing the slowdown only operates on processes identified as browsers so this should be a reasonably compare as I assume the backend part of the test/servers/etc are all the same and it's just the client changing.  This is a guess as I haven't spent any time looking into it.

    Beyond that, the features of web protection and control that you see in Sophos Central policy in Threat Protection policy are:

    And then in the web control policy:

    If one of these 3 options is enabled then the Sophos Network Threat Protection service launches SophosNetFilter.exe which is responsible for these features. You can confirm this in Task Manager. I.e. when SophosNetFiler.exe terminates due to the 3 features being off, performance is as expected?

    Checking policy at the client in the registry:

    web_scanning_enabled and web_filtering_enabled reg values under:  
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[latestrevision]\web_protection

    Web control can be checked in the local UI or the web_control_enabled reg value under:
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\WebControl\[latestrevision]

    "Block access to malicious websites" and "Web Control" use cloud lookups to assess sites so there could be latency there, where as "Scan downloads in progress" doesn't use lookups it is scanning of the data where possible before it hits the browser.

    Then of course there is the added option of decryption which is heavily related to "Scan downloads in progress"

    If decryption is enabled, the endpoint can operate on the full URLs and content, not just the domain names obtained from the SNI property of the TLS/SSL handshake so there is more work to do, e.g. scanning of content.

    To check that policy locally, the reg value https_decrypt_enabled, under: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[latestrevision]\web_protection
    Also, if enabled, when checking the cert of the site in the browser it will also reference Sophos if decryption is enabled.

    I would therefore be interested to know, what the values are with SSL/TLS decryption disabled and web control and block access to malicious websites disabled but leaving just Scan downloads in progress enabled, so at least one feature is enabled and SophosNetFilter.exe remains running but lookups and decryption are taken out.

    This way, it should take out the lookups being a factor.  Also, with decryption disabled, if the content for the test comes over HTTP, then scan downloads in progress will still be able to scan the content, if the test uses HTTPS it will not be decryption disabled. Hopefully it uses HTTPS but something to be mindful of.

    The other test would be to try the reverse, disable "Scan downloads in progress" and enable just "Block access to malicious sites" to see the difference and maybe isolate a feature.

    It might also be worth checking in the Dev Tools of the browser to understand the domains being accessed as part of the test. E.g. I see ooklaserver.net.  If this is added as an exclusion in the Threat Protection - Exclusions - As a a type: "Website", how does that affect the speed test score?

    Policy at the client: approved_site_patterns under:
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[latestrevision]\web_protection

    Hope that helps maybe narrow it down and a few configurations to try and see how the score is affected.  It might be worth closing the browser and using an incognito tab for each test?

    Thanks.

  • i used the speed test from windows not chrome - and its was over 200mbs - so my bad. its all good now

  • I guess that proves that the wider computer isn't affected and it's just browser processes, which makes sense given the web protection and control features on apply to browser processes. It really depends if the end users are noticing the loss in speed via the browser.  If they download a lot of large files they might, but if you download a 500MB file as a one off, if it takes 20 seconds or 30 seconds I guess it doesn't matter too much. 

  • I was having issues with NTP (ON gives me 250mb OFF 950 mb) , I talked to another gentleman on this site What worked for him was changing Core Agent to version 2022.4.0.4 and Intercept X to 2022.1.3.3. I was able to do that through a submitted ticket to support. Well, the versions were changed. There was no difference in speed. SO, I go to toggle NTP off.I was not able to connect to any browser. I am now reverting back back to old settings. I understand some loss, but 60% or more is hard to take. I like the products so I hope this issue can be fixed soon. Also I tried the 'Home' Stand alone product on 1 of my computers, the speeds were were also 60% or more less.

Reply
  • I was having issues with NTP (ON gives me 250mb OFF 950 mb) , I talked to another gentleman on this site What worked for him was changing Core Agent to version 2022.4.0.4 and Intercept X to 2022.1.3.3. I was able to do that through a submitted ticket to support. Well, the versions were changed. There was no difference in speed. SO, I go to toggle NTP off.I was not able to connect to any browser. I am now reverting back back to old settings. I understand some loss, but 60% or more is hard to take. I like the products so I hope this issue can be fixed soon. Also I tried the 'Home' Stand alone product on 1 of my computers, the speeds were were also 60% or more less.

Children
  • It's just not fair for the end user, its affecting work at not sure what to do next?  I have 700+ endpoints

  • What is the exact symptoms your users are having?  Do they download and upload very large files multiple times a day?

  • I like to believe we all can understand we lose 'Speed", when implementing these resources. At what point do we have to say "HEY"......I am losing 2/3 or more of Internet that I(or customers) pay for. Is 2/3 OK...Is 1/2?...There is a point(everyone's level is different)  when the cure is more burdensome than the problem. I really don't like having to pay more for faster internet, because a product I'm using is slowing me down. To keep people happy.... pay more in the front end and get your ass handed to ya in the outcome...Besides this piss and moan session. I keep with Sophos, because it has helped, and took care of many issues, I trust and rely on on the products. But, I came looking for software a few years ago, and found Sophos, I can can also go look again......And Brother David Di Nella from up above, I can clue ya in.....I'm Pissing and moaning about a dozen or less cats I'm dealing with......Yelling it aint fair, with 700+........Well,...I just kinda ......nevermind.....G'Day,Eh....Thank You guys for such sharing, and opportunities to learn.

  • I look at it this way. I know it only affects browser processes. My computer is fine when downloading updates, etc... Running a speed test with the store app is fine. Do I notice the slowdown when actually browsing? Can’t say I do. If I download a 1GB file which is rare, do I care if it takes 30 seconds rather than 20 seconds, would I even notice? How would I know what to expect in the first place? The only time I think I’d notice is if I was handling and sharing GB of data per day via the browser. If that was the case, chances are it would be to the same site so I would make an exclusion as I assume I already trust it.  I suspect there is also a chance that that some of the speed tests just don’t work as accurately with a process in the middle scanning content and making lookups. Fast.com gives me different results for example.  Just my thoughts.

  • When you pay for something, you expect to have it the way it is sell..when you upgrade your internet from 100mb/s to1gb. You do not want to have a speed of 200mb/s. We do download /upload large files. So we can really feel the different. My problem is now solved. I can understand that it's annoying

  • HI Louis I feel ya but you mentioned your problem is now solved care to share what you did?

  • Not really sure i did something to solve the issue but i can use fully my internet speed:

    My core agent is 2022.4.0.4, sophos intercept x is 2022.1.3.3.

    I disabled Block access to malicious websites ( for another reason than speed but maybe it is the solution i don't know)

    I disabled ssl/tls decryption of HTTPS websites. 

    If you have the same version for the core agent and the intercept x , try those settings and give it some time to see if it OK for you.

  • Yeah the support agent said the latest Core will fix my issues.  Did you manually update the core or was deployed automatically?

  • I've been told to wait - Which I'm doing! :(