Thread Info
  • State Verified Answer
  • +9 person also asked this people also asked this
  • Locked Locked
  • Replies 103 replies
  • Subscribers 39 subscribers
  • Views 50819 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint slow down internet speed

Louis

Hello,

We got a dedicated optical fiber 1gb Down/up .

With the endpoint installed, the speed download seems to be block around around 150 to 300 mb/s. Upload is correct.

IF i uninstall it, then the speed go back to normal with around 900 mb/s. Tests are made through NPERF. 

I tried a to play with settings on sophos central but none of them seems to make it work normally.

Does someone experiencing this issue or does know how to fix it ?

Note: Please see the following Blog Post for the latest update regarding this issue



This thread was automatically locked due to age.
  • 0 in reply to listentobro

    Hello, out of interest, how do you check the speed?  Do you use a specific site or app?

    For example, what does Internet Speed Test | Fast.com give you in the way of results with and without the internet scanning and web control feature on? Essentially if the process SophosNetFilter.exe is running or is not running. 

    If SophosNetFilter.exe process is running, at least one of the web protection/control features is active.  If it's not running, then all web protection/control is off. 

    Additionally, download reputation feature can still be on, that is a scan post download for browsers that support IOfficeAntiVirus interfaces, such as Chrome, Edge but not Firefox.

    Also, do you have SSL/TLS decryption of HTTPS websites enabled or disabled?

    To check on the endpoint, the value of https_decrypt_enabled under the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[latest]\web_protection

    will be 1 to be enabled and 0 to be disabled.

    Thanks.

  • 0 in reply to Sophos User930

    im using speedtest.net - which I heard is more accurate than Fast.com. Fast.com gives a much higher value. 

    On Speedtes.com  I tested two machines on the same home network ethernet port. One was 200mbs, one was 50mbs . 

  • 0 in reply to listentobro

    I'm also experiencing the same issues with a dedicated 1 GIG internet connection.  if i disable Network Threat protection speeds are 800 d 800 u.  When the setting is on like 100 d 600 u.  Whats the fix ?

  • 0 in reply to David DI Nella

    this has been going on since Octobernot any time soon unfortunately (i think!) 

  • 0 in reply to listentobro

    What’s the work around you’ve made, it’s really causing issues on our end.  

  • 0 in reply to listentobro

    Hi Tom,

    I suppose, one test would be to use the Microsoft store app from Speedtest and compare that against the browser site.

    The web protection/control feature, which we assume is causing the slowdown only operates on processes identified as browsers so this should be a reasonably compare as I assume the backend part of the test/servers/etc are all the same and it's just the client changing.  This is a guess as I haven't spent any time looking into it.

    Beyond that, the features of web protection and control that you see in Sophos Central policy in Threat Protection policy are:

    And then in the web control policy:

    If one of these 3 options is enabled then the Sophos Network Threat Protection service launches SophosNetFilter.exe which is responsible for these features. You can confirm this in Task Manager. I.e. when SophosNetFiler.exe terminates due to the 3 features being off, performance is as expected?

    Checking policy at the client in the registry:

    web_scanning_enabled and web_filtering_enabled reg values under:  
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[latestrevision]\web_protection

    Web control can be checked in the local UI or the web_control_enabled reg value under:
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\WebControl\[latestrevision]

    "Block access to malicious websites" and "Web Control" use cloud lookups to assess sites so there could be latency there, where as "Scan downloads in progress" doesn't use lookups it is scanning of the data where possible before it hits the browser.

    Then of course there is the added option of decryption which is heavily related to "Scan downloads in progress"

    If decryption is enabled, the endpoint can operate on the full URLs and content, not just the domain names obtained from the SNI property of the TLS/SSL handshake so there is more work to do, e.g. scanning of content.

    To check that policy locally, the reg value https_decrypt_enabled, under: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[latestrevision]\web_protection
    Also, if enabled, when checking the cert of the site in the browser it will also reference Sophos if decryption is enabled.

    I would therefore be interested to know, what the values are with SSL/TLS decryption disabled and web control and block access to malicious websites disabled but leaving just Scan downloads in progress enabled, so at least one feature is enabled and SophosNetFilter.exe remains running but lookups and decryption are taken out.

    This way, it should take out the lookups being a factor.  Also, with decryption disabled, if the content for the test comes over HTTP, then scan downloads in progress will still be able to scan the content, if the test uses HTTPS it will not be decryption disabled. Hopefully it uses HTTPS but something to be mindful of.

    The other test would be to try the reverse, disable "Scan downloads in progress" and enable just "Block access to malicious sites" to see the difference and maybe isolate a feature.

    It might also be worth checking in the Dev Tools of the browser to understand the domains being accessed as part of the test. E.g. I see ooklaserver.net.  If this is added as an exclusion in the Threat Protection - Exclusions - As a a type: "Website", how does that affect the speed test score?

    Policy at the client: approved_site_patterns under:
    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[latestrevision]\web_protection

    Hope that helps maybe narrow it down and a few configurations to try and see how the score is affected.  It might be worth closing the browser and using an incognito tab for each test?

    Thanks.

  • 0 in reply to Sophos User930

    i used the speed test from windows not chrome - and its was over 200mbs - so my bad. its all good now

  • 0 in reply to listentobro

    I guess that proves that the wider computer isn't affected and it's just browser processes, which makes sense given the web protection and control features on apply to browser processes. It really depends if the end users are noticing the loss in speed via the browser.  If they download a lot of large files they might, but if you download a 500MB file as a one off, if it takes 20 seconds or 30 seconds I guess it doesn't matter too much. 

  • 0 in reply to Sophos User930

    I was having issues with NTP (ON gives me 250mb OFF 950 mb) , I talked to another gentleman on this site What worked for him was changing Core Agent to version 2022.4.0.4 and Intercept X to 2022.1.3.3. I was able to do that through a submitted ticket to support. Well, the versions were changed. There was no difference in speed. SO, I go to toggle NTP off.I was not able to connect to any browser. I am now reverting back back to old settings. I understand some loss, but 60% or more is hard to take. I like the products so I hope this issue can be fixed soon. Also I tried the 'Home' Stand alone product on 1 of my computers, the speeds were were also 60% or more less.

  • 0 in reply to Kevin McConnaughey

    It's just not fair for the end user, its affecting work at not sure what to do next?  I have 700+ endpoints

Unfiltered HTML