Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Protection Causes widespread system slowdown in windows 10 and 11

I have several customers with hundreds of various computers both Mac and Windows on Endpoint Protection.

Over the last year i have noticed that the endpoint protection is causing all Windows machines to slow down. Even brand new machines running i7, 32Gb of ram, NVME SSD's and windows 11 become very sluggish to respond to actions once you install the endpoint client, remove the client or disable it and they return to normal. Scheduled scanning is off, using recommended settings for realtime.

I can see that Sophos is pretty much always utilising the CPU proportionately heavily compared to other processes unless the PC has been idle for a while

This is not a isolated case these are brand new machines from Dell, Lenovo, custom built machines, and also older machines running windows 10 and being rebuilt. 

Is there a way to make the client less impactful on performance? 



This thread was automatically locked due to age.
Parents
  • Im also experiencing the same issue brand new Dell Laptops i5 8GB Ram and NVME and with sophos on it the laptop performs like a 5 year old HDD device.

  • Similar performance issues here.  We are seeing dual AV scanning with Windows Defender and Sophos Active X on Windows 10 and 11 machines.  Workaround is to turn off Defender but this does automatically kick back in. Ticket opened with Sophos.

  • What processes are consuming resources?  The main processes are:

    SSPService.exe
    SEDService.exe
    SophosFileScanner (worker).

    If SophosFileScanner.exe is the main issue, then it's scanning and what is being scanned can be determined  Could be DLP, depending on the CCLs but more than likely it would be for threat scanning. For this scenario:

    Disbale Tamper Protection on the device and run the following 2 commands to see what is being scanned:


    New-ItemProperty -path "HKLM:\SOFTWARE\Sophos\Logging\SFS" -Name "LogLevel" -Value 1

    Get-Content "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log" -wait -tail 1 | where {$_ -match 'I End ScanDispatcher Request' -and $_ -notmatch 'SophosFileScanner.log'} | ogv

    Remove Info level logging after
    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Sophos\Logging\SFS" -Name "LogLevel" -Force

    ---

    If the work is SEDService.exe at 5 minute intervals, then it's journal compression. If it's SSPService.exe, then it's processing events but first, is it SophosFileScanner.exe and scanning?

  • Thanks for your update.   I feel the issue is with Defender running at the same time as the Sophos endpoint.  Firstly, can my issue be replicated?  Secondly, can you provide a fix?

  • Why is defender kicking back in could be the issue?  This disablement is managed by Sophos reporting into the system via the "Security Center" service so it appears as a security provider.

    I'm sure you can disable Defender with group policy but this should work fine. I.e. it should show as:

    PS C:\Windows\system32> fltmc
    
    Filter Name                     Num Instances    Altitude    Frame
    ------------------------------  -------------  ------------  -----
    bindflt                                 1       409800         0
    Sophos Endpoint Defense                 9       389220         0
    PROCMON24                               4       385200         0
    hmpalert                                5       345800         0
    storqosflt                              0       244000         0
    wcifs                                   0       189900         0
    CldFlt                                  1       180451         0
    FileCrypt                               0       141100         0
    luafv                                   1       135000         0
    npsvctrig                               1        46000         0
    Wof                                     2        40700         0
    FileInfo                                4        40500         0

    This doesn't list wdfilter, the Defender file system filter driver. Are you seeing the wdfilter driver loaded on these computers?

    Usually you get the log file MpCmdRun.log under \windows\temp\ for example which details Defender disabling its service and driver:

    -------------------------------------------------------------------------------------
    MpCmdRun: Command Line: "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2301.6-0\MpCmdRun.exe" -DisableService
     Start Time: ‎Wed ‎Mar ‎22 ‎2023 16:32:40
    
    MpEnsureProcessMitigationPolicy(0x5): hr = 0x1
    EnableService(0, 3)
    Stoping WinDefend and setting to SERVICE_DEMAND_START ...
    Setting WdBoot to SERVICE_DEMAND_START and remove from early launch group...
    Stopping WdFilter and setting to SERVICE_DEMAND_START ...
    EnableService(0, 3) - finished.
    MpCmdRun: End Time: ‎Wed ‎Mar ‎22 ‎2023 16:32:42
    -------------------------------------------------------------------------------------

    You could maybe check the history of that log as well.

    Thanks.

  • Thanks for your update.

    We don't have the capacity to turn off Defender via group policy.  We are AAD joined and we don't use INTUNE.

    Could you please provide further details on where we can see the WDfilter? I can't locate the MpCmdRun.log.  

    This is what I am experiencing.  High resource usage memory and CPU and No Sophos entries in the Security Providers section in Windows.

  • Something isn't right if Sophos isn't listed as a security provider on the computer.  Did it install correctly?

    In an admin prompt, if you run
    fltmc.exe
    what is the output? 

    I assume we see the Sophos file system filter drivers:

    Sophos Endpoint Defense     This is sophosed.sys
    hmpalert                    This is hmpalert.sys

    I assume you will see wdfilter in that list, i.e. wdfilter.sys?

  • I removed Sophos and re-installed it. There didn't appear to be any issues with the install

  • OK. No hmpalert driver in that list which seems odd.

    SophosED.sys ("Sophos Endpoint Defense" as you see it the list of file system filters), will be installed as part of the Core Agent to provider tamper protection so it doesn't necessary mean you have protection from a scanning perspective.

    Are you sure you're not running an Encryption only configured installer?

    You should see in the list of services:

    If they are installed, is the Windows "Security Center" service running if you look in Services.msc?

    Additionally, in a PS command prompt, what does:

    Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

    return, do you see, among the other properties:

    displayName              : Windows Defender

    displayName              : Sophos Intercept X

Reply
  • OK. No hmpalert driver in that list which seems odd.

    SophosED.sys ("Sophos Endpoint Defense" as you see it the list of file system filters), will be installed as part of the Core Agent to provider tamper protection so it doesn't necessary mean you have protection from a scanning perspective.

    Are you sure you're not running an Encryption only configured installer?

    You should see in the list of services:

    If they are installed, is the Windows "Security Center" service running if you look in Services.msc?

    Additionally, in a PS command prompt, what does:

    Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

    return, do you see, among the other properties:

    displayName              : Windows Defender

    displayName              : Sophos Intercept X

Children
  • PS output

    Services:

    I have no concept of what an Encryption only configured installer is.

    Thanks in advance.

  • Where is the Sophos File Scanner service. That also looks like the older SAV registration with the Security Center.  It's not Sophos Intercept X  

    The Features reg value for me under: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\Service\PolicyFeatures

    Contains:

    APPCNTRL
    AV
    CLEAN
    CORE
    DISKENCRYPTION
    DLP
    DVCCNTRL
    EFW
    HBT
    LIVEQUERY
    LIVETERMINAL
    NTP
    SAV
    SDU
    WEBCNTRL
    XPD

    The CloudSubscriptions are:

    When you are in Sophos Central, and choose to download the installer, you can select what components should be installed.

    Either it's failing to install components or the config is set not to install them. In Central you can choose what components of the install are active.

  • I have looked at the package details, we have been using the recommended settings.  I will change the download to 2022.4.0.9 and try installing Sophos again and let you know how i get on.

  • Thanks for your input and pointers.

    Post-install reg keys after the 2022.4.0.9 install

    From the Recommended package and the 2022.4.0.9, the downloader is only presenting Device Encryption.  Should other products be shown on this screen?

  • Yes. When you download the installer from Sophos Central you get the option to get the full installer or you can choose the components.  Once the agent is installed you can also add components to the install.