This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos RT File Scanning SIgnificantly Slows Chrome

We are in the process of rolling out Central Intercept X Advanced with XDR and MTR. Developers have complained that Sophos makes their Windows machines sluggish. Same behaviour does not exist or is not as bad on Mac machines. We have been able to reduce this problem to a test that demonstrates the issue.

System is i7-7700HQ 2.8 GHz, 16 GB RAM (memory usage doesn't exceed 50%). 


Executing (from cmd window) a .bat file that does "start chrome -new-window file:///C:/users/patrickkobly/chromestart.bat" 20 times. Timing measured on a stopwatch from hitting enter to the last window rendering the file. Observing Task Manager, we see "Sophos Endpoint Defense Software" peak around 30% CPU. Sophos File Scanner is present but doesn't seem to be spiking.

- With recommended policy settings: above test takes 10-12 sec

- With all switches off in a custom Endpoint Protection Policy, test takes about 6 sec

- With all switches on except for Real time file scanning turned on, test takes about 6 sec

- With recommended policy settings + a Windows process exception for chrome.exe, test takes about 6 sec

Tried to turn off tamper prevention and set Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Sophos File Scanner\Application\LogLevel to 4 and restart Sophos File Scanner sevice. No differences noted in the Sophos File Scanner logs (looking to identify a tighter group of file exceptions to apply than just a blanket process exception for Chrome).

At a loss atm as to how to continue to troubleshoot this and return performance to acceptable.



This thread was automatically locked due to age.
Parents
  • The default application view of Task Manager isn't really that helpful as it groups by description.  As a result: "Sophos Endpoint Defense Software" could be SSPService.exe or SEDService.exe. 

    I assume it's SSPService.exe but it would be good to know.

    I would suggest with Tamper off, From an admin PS prompt, enable just level 1 logging (info is enough):

    New-ItemProperty -path "HKLM:\SOFTWARE\Sophos\Logging\SFS" -Name "LogLevel" -Value 1

    Tail the SFS log with a filter:

    Get-Content "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log" -wait -tail 1 | where {$_ -match 'I End ScanDispatcher Request' -and $_ -notmatch 'SophosFileScanner.log'} | ogv

    Launch Chrome, anything stand out?  Revert the logging with the following:

    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Sophos\Logging\SFS" -Name "LogLevel" -Force

    No need to restart SFS, it is picked up dynamically.

    Regards,

Reply
  • The default application view of Task Manager isn't really that helpful as it groups by description.  As a result: "Sophos Endpoint Defense Software" could be SSPService.exe or SEDService.exe. 

    I assume it's SSPService.exe but it would be good to know.

    I would suggest with Tamper off, From an admin PS prompt, enable just level 1 logging (info is enough):

    New-ItemProperty -path "HKLM:\SOFTWARE\Sophos\Logging\SFS" -Name "LogLevel" -Value 1

    Tail the SFS log with a filter:

    Get-Content "C:\ProgramData\Sophos\Sophos File Scanner\Logs\SophosFileScanner.log" -wait -tail 1 | where {$_ -match 'I End ScanDispatcher Request' -and $_ -notmatch 'SophosFileScanner.log'} | ogv

    Launch Chrome, anything stand out?  Revert the logging with the following:

    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Sophos\Logging\SFS" -Name "LogLevel" -Force

    No need to restart SFS, it is picked up dynamically.

    Regards,

Children
No Data