This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Protection Causes widespread system slowdown in windows 10 and 11

I have several customers with hundreds of various computers both Mac and Windows on Endpoint Protection.

Over the last year i have noticed that the endpoint protection is causing all Windows machines to slow down. Even brand new machines running i7, 32Gb of ram, NVME SSD's and windows 11 become very sluggish to respond to actions once you install the endpoint client, remove the client or disable it and they return to normal. Scheduled scanning is off, using recommended settings for realtime.

I can see that Sophos is pretty much always utilising the CPU proportionately heavily compared to other processes unless the PC has been idle for a while

This is not a isolated case these are brand new machines from Dell, Lenovo, custom built machines, and also older machines running windows 10 and being rebuilt. 

Is there a way to make the client less impactful on performance? 



This thread was automatically locked due to age.
  • Thank you for reaching the community forum.

    Various aspects may cause performance issues with our endpoint product. Would like to ask you for you can perform basic troubleshooting on one of the affected devices to Identify which component is causing this problem. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • I have the same problem as you, the actual memory usage of the endpoint is very large, open large software often prompts insufficient memory

  • Do you know if the "Aggressive threat detection" setting is turned on in Sophos Central? You can find this setting by using the following navigation:

    - Go to "Account Details" from the drop-down menu at the top right
    - Select "Account Preferences" from the left side.
    - Scrolling down this page, you will find "Aggressive threat detection"

    If the system resources are reasonable, but you're still experiencing issues, it may be best to open a support case to look into your issue further. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Im also experiencing the same issue brand new Dell Laptops i5 8GB Ram and NVME and with sophos on it the laptop performs like a 5 year old HDD device.

  • Similar performance issues here.  We are seeing dual AV scanning with Windows Defender and Sophos Active X on Windows 10 and 11 machines.  Workaround is to turn off Defender but this does automatically kick back in. Ticket opened with Sophos.

  • What processes are consuming resources?  The main processes are:

    SSPService.exe
    SEDService.exe
    SophosFileScanner (worker).

    If SophosFileScanner.exe is the main issue, then it's scanning and what is being scanned can be determined  Could be DLP, depending on the CCLs but more than likely it would be for threat scanning. For this scenario:

    Disbale Tamper Protection on the device and run the following 2 commands to see what is being scanned:


    New-ItemProperty -path "HKLM:\SOFTWARE\Sophos\Logging\SFS" -Name "LogLevel" -Value 1

    Get-Content "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log" -wait -tail 1 | where {$_ -match 'I End ScanDispatcher Request' -and $_ -notmatch 'SophosFileScanner.log'} | ogv

    Remove Info level logging after
    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Sophos\Logging\SFS" -Name "LogLevel" -Force

    ---

    If the work is SEDService.exe at 5 minute intervals, then it's journal compression. If it's SSPService.exe, then it's processing events but first, is it SophosFileScanner.exe and scanning?

  • Thanks for your update.   I feel the issue is with Defender running at the same time as the Sophos endpoint.  Firstly, can my issue be replicated?  Secondly, can you provide a fix?

  • Why is defender kicking back in could be the issue?  This disablement is managed by Sophos reporting into the system via the "Security Center" service so it appears as a security provider.

    I'm sure you can disable Defender with group policy but this should work fine. I.e. it should show as:

    PS C:\Windows\system32> fltmc
    
    Filter Name                     Num Instances    Altitude    Frame
    ------------------------------  -------------  ------------  -----
    bindflt                                 1       409800         0
    Sophos Endpoint Defense                 9       389220         0
    PROCMON24                               4       385200         0
    hmpalert                                5       345800         0
    storqosflt                              0       244000         0
    wcifs                                   0       189900         0
    CldFlt                                  1       180451         0
    FileCrypt                               0       141100         0
    luafv                                   1       135000         0
    npsvctrig                               1        46000         0
    Wof                                     2        40700         0
    FileInfo                                4        40500         0

    This doesn't list wdfilter, the Defender file system filter driver. Are you seeing the wdfilter driver loaded on these computers?

    Usually you get the log file MpCmdRun.log under \windows\temp\ for example which details Defender disabling its service and driver:

    -------------------------------------------------------------------------------------
    MpCmdRun: Command Line: "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2301.6-0\MpCmdRun.exe" -DisableService
     Start Time: ‎Wed ‎Mar ‎22 ‎2023 16:32:40
    
    MpEnsureProcessMitigationPolicy(0x5): hr = 0x1
    EnableService(0, 3)
    Stoping WinDefend and setting to SERVICE_DEMAND_START ...
    Setting WdBoot to SERVICE_DEMAND_START and remove from early launch group...
    Stopping WdFilter and setting to SERVICE_DEMAND_START ...
    EnableService(0, 3) - finished.
    MpCmdRun: End Time: ‎Wed ‎Mar ‎22 ‎2023 16:32:42
    -------------------------------------------------------------------------------------

    You could maybe check the history of that log as well.

    Thanks.

  • Thanks for your update.

    We don't have the capacity to turn off Defender via group policy.  We are AAD joined and we don't use INTUNE.

    Could you please provide further details on where we can see the WDfilter? I can't locate the MpCmdRun.log.  

    This is what I am experiencing.  High resource usage memory and CPU and No Sophos entries in the Security Providers section in Windows.

  • Something isn't right if Sophos isn't listed as a security provider on the computer.  Did it install correctly?

    In an admin prompt, if you run
    fltmc.exe
    what is the output? 

    I assume we see the Sophos file system filter drivers:

    Sophos Endpoint Defense     This is sophosed.sys
    hmpalert                    This is hmpalert.sys

    I assume you will see wdfilter in that list, i.e. wdfilter.sys?