This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos RT File Scanning SIgnificantly Slows Chrome

We are in the process of rolling out Central Intercept X Advanced with XDR and MTR. Developers have complained that Sophos makes their Windows machines sluggish. Same behaviour does not exist or is not as bad on Mac machines. We have been able to reduce this problem to a test that demonstrates the issue.

System is i7-7700HQ 2.8 GHz, 16 GB RAM (memory usage doesn't exceed 50%). 


Executing (from cmd window) a .bat file that does "start chrome -new-window file:///C:/users/patrickkobly/chromestart.bat" 20 times. Timing measured on a stopwatch from hitting enter to the last window rendering the file. Observing Task Manager, we see "Sophos Endpoint Defense Software" peak around 30% CPU. Sophos File Scanner is present but doesn't seem to be spiking.

- With recommended policy settings: above test takes 10-12 sec

- With all switches off in a custom Endpoint Protection Policy, test takes about 6 sec

- With all switches on except for Real time file scanning turned on, test takes about 6 sec

- With recommended policy settings + a Windows process exception for chrome.exe, test takes about 6 sec

Tried to turn off tamper prevention and set Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Sophos File Scanner\Application\LogLevel to 4 and restart Sophos File Scanner sevice. No differences noted in the Sophos File Scanner logs (looking to identify a tighter group of file exceptions to apply than just a blanket process exception for Chrome).

At a loss atm as to how to continue to troubleshoot this and return performance to acceptable.



This thread was automatically locked due to age.
Parents
  • Hi Patrick,

    Thanks for reaching out to the Sophos Community Forum. 

    Could you share the .bat file you're using with me via private message or in a reply?

    Do the results change if you open chrome manually instead of using the .bat script? You could try copying the commands from a text file with linebreaks to enter the same command the same number of times as the script. 

    This would help isolate the possibility of Sophos scanning the operations the .bat script is performing. 

    As for the logs, you can also try using the Sophos Endpoint Self Help tool to adjust the log level to see if this returns any additional information.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hi Patrick,

    Thanks for reaching out to the Sophos Community Forum. 

    Could you share the .bat file you're using with me via private message or in a reply?

    Do the results change if you open chrome manually instead of using the .bat script? You could try copying the commands from a text file with linebreaks to enter the same command the same number of times as the script. 

    This would help isolate the possibility of Sophos scanning the operations the .bat script is performing. 

    As for the logs, you can also try using the Sophos Endpoint Self Help tool to adjust the log level to see if this returns any additional information.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
  • Hello, the .bat file is just the mentioned command copy-pasted 20 times. No loops or anything. I tried the test with same results copying out all of these lines directly into cmd. Thank you for the link to the Sophos Endpoint Self Help video. I increased the log level on SFS and saw a few standouts on the first run, but they didn't occur on the second run (though total timing was roughly the same).

  • What about the 2 tests (disable tamper first):

    1. Under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config
    In OnAccessExcludeFilePaths add: C:\users\

    Does it launch faster?

    2. Rename
    C:\windows\system32\hmaplert.dll
    to
    C:\windows\system32\hmaplert.dll.off

    Does it launch faster when you run the test?

  • No notable difference with either option. (typo in the name of the dll - hmpalert.dll btw)

  • Hmm. In that case. Maybe time for a perf trace.

    wpr.exe -start GeneralProfile

    repro a slow run, maybe just one launch.

    wpr.exe -stop c:\gp.etl

    it would be interesting to then look at that in Windows Performance Analyzer and see what is going on.

    The he only data in it is environment, process and path names if you did want to share it.

    You could try from a new profile as well. New test local account? Would also be an interesting test and remove some of your main profile data if you did perform a trace with a view to share and had the same issue.  

  • What's required for the OnAccessExcludeFilePaths to get picked up? Because I just followed your instructions in the other thread and see ~450 ScanDispatcher requests, all but 1 Pinned. Sum Total scan time 4.5 seconds.

  • Verified, adding an exception for C:\Users\ in Policy in central causes performance to improve to roughly the level of RT File scanning being turned off. 

  • Ok, what about changing C:\users\ to:

    C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\

    Does that have the same effect? I assume so.

    You could run Process Monitor with a path filter for:

    Path - Contains -  "Google\Chrome"

    as a basic example and launch Chrome.  Stop it capturing once launched, then run the Tools -> File Summary and use the "By Folder" tab. Which are the most accessed files?

    is it: \Default\Service Worker\ for example?
    Would
    C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Service Worker\
    be closer?  Etc...

    Thanks.