This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint slow down internet speed


We got a dedicated optical fiber 1gb Down/up .

With the endpoint installed, the speed download seems to be block around around 150 to 300 mb/s. Upload is correct.

IF i uninstall it, then the speed go back to normal with around 900 mb/s. Tests are made through NPERF. 

I tried a to play with settings on sophos central but none of them seems to make it work normally.

Does someone experiencing this issue or does know how to fix it ?

Note: Please see the following Blog Post for the latest update regarding this issue

This thread was automatically locked due to age.
  • Hi All, I am seeing all the replies - seems internet is getting a little slower as we have protection from viruses (etc) ...... that is we are using sophos protection and the web browsing experience is not as good.. (or fast?) .,.,.,.,- but we are protected and for me that is what counts. Im 200mb down to 150mb only when on a browser. No streaming or browsing would ever need 200mb.....No way teams is effected and definitely not zoom. I think this case should be closed. 

  • It is worth repeating, that there will always be a percentage decrease when you're doing web scanning and lookups "in-line" for browser process traffic. As you say, this only affects processes classified as browsers, not all processes are subjected to so much inspection hence why application speed test tools are unaffected, web browser tests are.

    Depending on the config you have, there is:

    1. Decryption of the browser traffic to be able to inspect HTTPS. 

    This may or may not be on but this is possibly the most intensive feature.
    https_decrypt_enabled = 1 would signify from the endpoint it is enabled.
    "SSL/TLS decryption of HTTPS websites" is the policy option in Central.

    2. Scanning the content before it hits the browser, this relies on https_decrypt_enabled being enabled for HTTPS traffic. If it's HTTP, which maybe accounts for 20% of traffic it is still being processed. 
    "Scan downloads in progress" is the policy option in Central.

    3. Making lookups to SXL to check the domains/urls being accessed.
    "Block access to malicious websites" is the policy option in Central.
    Also if Web control is enabled in policy, these lookups are also made regardless of it being for protection to get the category for the site.

    So when decryption of traffic is enabled, there is more work to be performed, as more data becomes available before it hits the browser to process, plus you have the overhead of the decrypt.  At this point lack of CPU power could be a factor as much as internet speed to make the SXL lookups from SSPService.exe.

    So only when all 3 features:

    • "Block access to malicious websites"
    • "Scan downloads in progress"
    • "Web control"

    are off does SophosNetFilter.exe process exit and there is 0 impact on web browser traffic. Of course if you disable "Network Threat Protection", that closes it down as well but that is far more than needs to be disabled.  This essentially disables all of the Network Threat Protection features rather than just the protection for the browsers.

    The Core agent 2022.4 has an improvement in speed but as far as I am aware, this requires the endpoint flag modernweb.offloading.enabled under

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EndpointFlags

    to be set to 1.  Sophos slowly rolls the flag out post release to ensure when enabling a new feature or significant change there is no issue with it.  So although you might have 2022.4, your account may not have the flag set yet.

    Hope that helps.

  • I feel these are workarounds and not resolutions.

Reply Children