Sophos Endpoint Protection Causes widespread system slowdown in windows 10 and 11

Thank you for reaching the community forum.

Various aspects may cause performance issues with our endpoint product. Would like to ask you for you can perform basic troubleshooting on one of the affected devices to Identify which component is causing this problem. 

I have the same problem as you, the actual memory usage of the endpoint is very large, open large software often prompts insufficient memory

Do you know if the "Aggressive threat detection" setting is turned on in Sophos Central? You can find this setting by using the following navigation:

- Go to "Account Details" from the drop-down menu at the top right
- Select "Account Preferences" from the left side.
- Scrolling down this page, you will find "Aggressive threat detection"

If the system resources are reasonable, but you're still experiencing issues, it may be best to open a support case to look into your issue further. 

Im also experiencing the same issue brand new Dell Laptops i5 8GB Ram and NVME and with sophos on it the laptop performs like a 5 year old HDD device.

Similar performance issues here.  We are seeing dual AV scanning with Windows Defender and Sophos Active X on Windows 10 and 11 machines.  Workaround is to turn off Defender but this does automatically kick back in. Ticket opened with Sophos.

What processes are consuming resources?  The main processes are:

SSPService.exe
SEDService.exe
SophosFileScanner (worker).

If SophosFileScanner.exe is the main issue, then it's scanning and what is being scanned can be determined  Could be DLP, depending on the CCLs but more than likely it would be for threat scanning. For this scenario:

Disbale Tamper Protection on the device and run the following 2 commands to see what is being scanned:

New-ItemProperty -path "HKLM:\SOFTWARE\Sophos\Logging\SFS" -Name "LogLevel" -Value 1

Get-Content "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log" -wait -tail 1 | where {$_ -match 'I End ScanDispatcher Request' -and $_ -notmatch 'SophosFileScanner.log'} | ogv

Remove Info level logging after
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Sophos\Logging\SFS" -Name "LogLevel" -Force

---

If the work is SEDService.exe at 5 minute intervals, then it's journal compression. If it's SSPService.exe, then it's processing events but first, is it SophosFileScanner.exe and scanning?

Thanks for your update.   I feel the issue is with Defender running at the same time as the Sophos endpoint.  Firstly, can my issue be replicated?  Secondly, can you provide a fix?

Why is defender kicking back in could be the issue?  This disablement is managed by Sophos reporting into the system via the "Security Center" service so it appears as a security provider.

I'm sure you can disable Defender with group policy but this should work fine. I.e. it should show as:

PS C:\Windows\system32> fltmc

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
bindflt                                 1       409800         0
Sophos Endpoint Defense                 9       389220         0
PROCMON24                               4       385200         0
hmpalert                                5       345800         0
storqosflt                              0       244000         0
wcifs                                   0       189900         0
CldFlt                                  1       180451         0
FileCrypt                               0       141100         0
luafv                                   1       135000         0
npsvctrig                               1        46000         0
Wof                                     2        40700         0
FileInfo                                4        40500         0

This doesn't list wdfilter, the Defender file system filter driver. Are you seeing the wdfilter driver loaded on these computers?

Usually you get the log file MpCmdRun.log under \windows\temp\ for example which details Defender disabling its service and driver:

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2301.6-0\MpCmdRun.exe" -DisableService
 Start Time: ‎Wed ‎Mar ‎22 ‎2023 16:32:40

MpEnsureProcessMitigationPolicy(0x5): hr = 0x1
EnableService(0, 3)
Stoping WinDefend and setting to SERVICE_DEMAND_START ...
Setting WdBoot to SERVICE_DEMAND_START and remove from early launch group...
Stopping WdFilter and setting to SERVICE_DEMAND_START ...
EnableService(0, 3) - finished.
MpCmdRun: End Time: ‎Wed ‎Mar ‎22 ‎2023 16:32:42
-------------------------------------------------------------------------------------

You could maybe check the history of that log as well.

Thanks.

Thanks for your update.

We don't have the capacity to turn off Defender via group policy.  We are AAD joined and we don't use INTUNE.

Could you please provide further details on where we can see the WDfilter? I can't locate the MpCmdRun.log.  

This is what I am experiencing.  High resource usage memory and CPU and No Sophos entries in the Security Providers section in Windows.

Something isn't right if Sophos isn't listed as a security provider on the computer.  Did it install correctly?

In an admin prompt, if you run
fltmc.exe
what is the output? 

I assume we see the Sophos file system filter drivers:

Sophos Endpoint Defense     This is sophosed.sys
hmpalert                    This is hmpalert.sys

I assume you will see wdfilter in that list, i.e. wdfilter.sys?