This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Protection Causes widespread system slowdown in windows 10 and 11

I have several customers with hundreds of various computers both Mac and Windows on Endpoint Protection.

Over the last year i have noticed that the endpoint protection is causing all Windows machines to slow down. Even brand new machines running i7, 32Gb of ram, NVME SSD's and windows 11 become very sluggish to respond to actions once you install the endpoint client, remove the client or disable it and they return to normal. Scheduled scanning is off, using recommended settings for realtime.

I can see that Sophos is pretty much always utilising the CPU proportionately heavily compared to other processes unless the PC has been idle for a while

This is not a isolated case these are brand new machines from Dell, Lenovo, custom built machines, and also older machines running windows 10 and being rebuilt. 

Is there a way to make the client less impactful on performance? 



This thread was automatically locked due to age.
  • I removed Sophos and re-installed it. There didn't appear to be any issues with the install

  • OK. No hmpalert driver in that list which seems odd.

    SophosED.sys ("Sophos Endpoint Defense" as you see it the list of file system filters), will be installed as part of the Core Agent to provider tamper protection so it doesn't necessary mean you have protection from a scanning perspective.

    Are you sure you're not running an Encryption only configured installer?

    You should see in the list of services:

    If they are installed, is the Windows "Security Center" service running if you look in Services.msc?

    Additionally, in a PS command prompt, what does:

    Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

    return, do you see, among the other properties:

    displayName              : Windows Defender

    displayName              : Sophos Intercept X

  • PS output

    Services:

    I have no concept of what an Encryption only configured installer is.

    Thanks in advance.

  • Where is the Sophos File Scanner service. That also looks like the older SAV registration with the Security Center.  It's not Sophos Intercept X  

    The Features reg value for me under: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\Service\PolicyFeatures

    Contains:

    APPCNTRL
    AV
    CLEAN
    CORE
    DISKENCRYPTION
    DLP
    DVCCNTRL
    EFW
    HBT
    LIVEQUERY
    LIVETERMINAL
    NTP
    SAV
    SDU
    WEBCNTRL
    XPD

    The CloudSubscriptions are:

    When you are in Sophos Central, and choose to download the installer, you can select what components should be installed.

    Either it's failing to install components or the config is set not to install them. In Central you can choose what components of the install are active.

  • I have looked at the package details, we have been using the recommended settings.  I will change the download to 2022.4.0.9 and try installing Sophos again and let you know how i get on.

  • Thanks for your input and pointers.

    Post-install reg keys after the 2022.4.0.9 install

    From the Recommended package and the 2022.4.0.9, the downloader is only presenting Device Encryption.  Should other products be shown on this screen?

  • Yes. When you download the installer from Sophos Central you get the option to get the full installer or you can choose the components.  Once the agent is installed you can also add components to the install.