Sophos File Scanner Hight Hardware Usage

Hi Tamoor,

Thanks for reaching out to the Sophos Community Forum.

If you wish to monitor what the Sophos File Scanner process is scanning in real-time, try increasing the log level on the "SFS" component to "info". This can be done from the "Tools" section of the Endpoint Self Help Tool.

Then you can run the following command through PowerShell to analyze the logs as they are generated.

Get-Content "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log" -wait -tail 1 | where {$_ -match 'I End ScanDispatcher Request' -and $_ -notmatch 'SophosFileScanner.log'}

If you have any applications running locally which will perform a high number of read/write operations, such as a database application, you may want to consider adding some Process Exclusions for these as well. 

Good morning Kushal Qoosh ,

Thank you for your reply on this issue and apologies for the delay.

The scan didn't really help pinpoint what type of files were being scanned and to be honest the logs continued to load for over 8 hrs.

I'm not certain on what's causing this. This device has the same software/hardware as the other devices in our environment and it is no different from these at all. This is the only device with this issue.

I look forward to hearing from you.

Kind Regards,

Tamoor

If the SophosFileScanner.exe process (child, worker process) is using high CPU, it is very likely to be scanning files as that's most of what it does.

The log files "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log" and the archives logs with Information level enabled will detail what is being scanned. The idea behind the PowerShell command is to tail the log, picking out the files being scanned from the log.

You would expect that running the above when the CPU was high would reveal, the areas of disk being scanned.

Another "brute force" option, would be to start with high level exclusions, these could at least prove that an exclusion would help.

For example, in policy, if you exclude:
C:\
from real-time scanning, I assume the issue goes away?

If so, change it to:

C:\users\

Does the issue go away then? The log file approach should avoid this but it is another option.

With each policy change check the reg value OnAccessExcludeFilePaths under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config
To ensure it has made it.

Hi Sophos User930 ,

When I first discovered this issue on this device, its CPU was running at 100% with both the Sophos Endpoint Defence Software service at 12.4% and the Sophos File Scanner service at 69.8%. At the time this device was running Windows 10.

After resetting the device completely it was upgraded to Windows 11. Shortly after, the CPU was running at 100% again with the Sophos Endpoint Defence Software service at 10.7% and the Sophos File Scanner service at 79.0%.

From what you've mentioned, if I go through each folder on the devices C:\ drive and set up exclusions for the folders I should find out when the Sophos services ramp up.

When setting up exclusions, does this affect all of our devices or can I set up singular exclusions for this device only?

In addition, from all of the information that I have provided what could be causing this? The device only has one drive, the C:\ drive and it has been reset multiple times. Its running the same software packages as all of our other devices.

Kind Regards,

Tamoor

Create a new threat protection policy and link just this device to it. In that you can define the test exclusions. 

Hi Sophos User930 ,

Thank you for confirming. I will check the device next week when I am onsite again.

Hi Sophos User930 ,

Thank you for confirming. I will check the device next week when I am onsite again.