This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint slow down internet speed

Hello,

We got a dedicated optical fiber 1gb Down/up .

With the endpoint installed, the speed download seems to be block around around 150 to 300 mb/s. Upload is correct.

IF i uninstall it, then the speed go back to normal with around 900 mb/s. Tests are made through NPERF. 

I tried a to play with settings on sophos central but none of them seems to make it work normally.

Does someone experiencing this issue or does know how to fix it ?


Note: Please see the following Blog Post for the latest update regarding this issue



This thread was automatically locked due to age.
  • If you turn off tamper protection. Change it to 1 check NTP is running again and the process SophosNetFilter.exe is running and retry the test. Maybe try fast.com, speedtest and any the previous one and see if your get any better results. Just double check the reg value isn’t reverted before the test.  Hope it helps. 

  • I will try the reg change.  Does it require a reboot?  Or does it take effect live?

    In the meantime I have been screwing around with a custom policy for them today, to not effect our entire population and I can confirm what is mentioned in this thread below.  Interestingly, when you disable all of those, the visual switch in settings area where you overide everything....Internet Realtime Scanning turns off, Web Control turns off, BUT....Network Threat Protection remains showing ENABLED.  The speeds do return to normal via the browser tests though.  I tried just turning off Internet, just Web Control, and no improvement...if I turn off BOTH of them....speeds good via the browser tests.  If I turn off ONLY NTP....speeds normal.  So there is an odd combination here, but I am assuming turning off just NTP, kills Web Control and Internet Real Time Scanning regardless even though they still show on?   No idea.   

    Disable Network Threat Protection from Sophos

  • That reg key is the switch.  1 - TEST NORMAL / 0 - TESTS ARE HOT SH**

    I confirmed that a reboot reverts the reg key to 0

  • NTP is the component. Web protection and control are features of it.

    The problem here is just browser traffic which, when either web protection or web control is enabled, traffic is inspected by SophosNetFilter.exe.

    If you turn off the feature NTP this will stop SophosNetFilter.exe from running.

    If you leave NTP running and turn of web control and the 2 web protection features that will also stop SophosNetFilter.exe.

    You don’t need to disable all of NTP to restore performance to the browser so C2 detection for non browser processes still runs, heatbeat, IPS if enabled, Connection tracking can all remain running features of NTP. The key thing here is SophosNetFilter.exe.

    No reboot required. Tbh I think restating the MCS services could revert the registry change. Should be picked up but ensuring NTP and web protection features are running is the thing to check. 

    hope it helps. 

  • Ahh I missed you last post. If that setting helps you contact support and ask them to enable the flag for your account. They should just need the tenant id you can find on the support page of Sophos Central where you enable support access. It’s a GUID.

  • Rebooting does revert the registry.  At this point I just need to circle back with our team and see how they want to proceed.  Thank you again for your help.

  • No problem, glad it could be fixed.

    Once the flag is set, MCSClient.exe, polls for flag updates based on this setting:

    I Config: setting 'flagsPollingInterval' set to 14400.

    14400s = 4hrs

    So it should be pretty quick to fix once set.

  • Confused now....explain what that polling setting does in simpler terms.  Will it prevent that registry from reverting to 0? 

  • It's just to highlight that even when Support request the change for the flag to be set on your Central account, the clients will not pick up the change straight away.  The flags are different to regular policy. 

    Feature flags are only polled for every 4 hours by MCS client where as a policy change you make should happen within a minute.  I thought I'd mention it so you know how long you might be waiting.

    Flags are the way Sophos rolls out features slowly even if the software is updated.