Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.
Checking disk space consumers on our windows servers we see that Sophos folder is huge on them:
%programdata%\sophos\endpoint defense\data\event journals\sophosED
Some of the subfolders contain tenthousands of files (e.g. Dns or FileBinaryChanges sub-folder) , some folders contain files, that are more than 2 years old.
Who is doing the housekeeping here? That mess slows down backups and other tasks.
one server:
other server:
SEDService.exe ("Sophos Endpoint Defense Service") performs the housekeeping of these files and runs every 4 or 5 mins to perform this task. It compresses the current .bin file to .xz for example and keeps the size of each journal under the max size which are defined here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Subjects
You can see the max size of each journal subject and if you total up all the values:
Name Property
---- --------
DirectoryChanges MaxDiskUsageMB : 219
Dns MaxDiskUsageMB : 219
FileBinaryChanges MaxDiskUsageMB : 437
FileBinaryReads MaxDiskUsageMB : 437
FileDataChanges MaxDiskUsageMB : 219
FileDataReads MaxDiskUsageMB : 219
FileHashes MaxDiskUsageMB : 219
FileOtherChanges MaxDiskUsageMB : 219
FileOtherReads MaxDiskUsageMB : 219
FileProperties MaxDiskUsageMB : 219
Http MaxDiskUsageMB : 219
Image MaxDiskUsageMB : 219
Ip MaxDiskUsageMB : 219
Network MaxDiskUsageMB : 219
Process MaxDiskUsageMB : 437
ProcessProperties MaxDiskUsageMB : 219
Registry MaxDiskUsageMB : 219
System MaxDiskUsageMB : 219
Thread MaxDiskUsageMB : 219
Url MaxDiskUsageMB : 219
WinSec MaxDiskUsageMB : 219
18*219 + 3*437 = 3942+1311= 5253 MB.
---
In Central you could half this size, e.g.
To:
Once the policy arrives at the client:
C:\ProgramData\Sophos\Management Communications System\Endpoint\Cache\CORC37.policy
<eventJournalSizeLimit>2625</eventJournalSizeLimit>
The registry values are changed to:
Name Property
---- --------
DirectoryChanges MaxDiskUsageMB : 109
Dns MaxDiskUsageMB : 109
FileBinaryChanges MaxDiskUsageMB : 219
FileBinaryReads MaxDiskUsageMB : 219
FileDataChanges MaxDiskUsageMB : 109
FileDataReads MaxDiskUsageMB : 109
FileHashes MaxDiskUsageMB : 109
FileOtherChanges MaxDiskUsageMB : 109
FileOtherReads MaxDiskUsageMB : 109
FileProperties MaxDiskUsageMB : 109
Http MaxDiskUsageMB : 109
Image MaxDiskUsageMB : 109
Ip MaxDiskUsageMB : 109
Network MaxDiskUsageMB : 109
Process MaxDiskUsageMB : 219
ProcessProperties MaxDiskUsageMB : 109
Registry MaxDiskUsageMB : 109
System MaxDiskUsageMB : 109
Thread MaxDiskUsageMB : 109
Url MaxDiskUsageMB : 109
WinSec MaxDiskUsageMB : 109
Next time SEDService.exe carries out its work, the max size per subject should be met.
