This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Defense Software using High CPU

Running sophos agent on windows server. 

Every few days after reboot using high CPU over 25-30%

This thread was automatically locked due to age.
Parents Reply Children
  • Does the Sophos System Protection service also show high CPU usage? 

    If you proceed with the component isolation steps in the following article, does disabling any features result in lower CPU usage?

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Kushal,

    There is no SSP service using high CPU.

  • I have tried using isolation but doesn't helping to reducing high CPU. 

  • SED Service does checks every 1 min if it needs to compress journal files.  If there is a lot of changes to the system, then it could be a lot of journals are being created.

    I would suggest set under:

    \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service

    DebugLevel to 1 from 2

    Then check the seds.log file under: C:\ProgramData\Sophos\Endpoint Defense\Logs\

    Is it compressing archives constantly? Look for lines that contain:

    "Debug Compressed"


    2023-04-25T13:39:01.967Z SEDS EvtJrn Debug Compressed 220752 bytes to 15848 bytes in 90380 usecs percentage: 92 \Device\HarddiskVolume3\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Process\Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.bin
    2023-04-25T13:39:01.969Z SEDS EvtJrn Debug Compressed 1 files, deleted 0 files, and ignored 25 files
    2023-04-25T13:40:01.881Z SEDS EvtJrn Debug Compressed 0 files, deleted 0 files, and ignored 25 files

    Here the now previous current journal file Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.bin has been compressed to the file: Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.xz.

    The following perf trace could be useful:

    typeperf -si 2 "\Process(SEDService)\% Processor Time" "\Sophos.SED Event Journal indexed stats(_Total)\Events in the memory queue" -sc 450 -o C:\sophos_SEDService_Usage.csv

    might be useful.

    If it is journal management, the following PS might be interesting to get a feel for the lifetime of the files.

    $journal_data =@()
    gci $env:ProgramData"\Sophos\Endpoint Defense\Data\Event Journals\SophosED" | % {
        $data = gci -include *.xz $_.FullName -Recurse | Measure-Object -Property Length -sum | select count, sum
        $max_size = Get-ItemPropertyValue -ea SilentlyContinue "HKLM:\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Subjects\$($_.Name)" -name MaxDiskUsageMB
        $total_on_disk = $([math]::round($data.sum / 1MB, 2))
        $journal_data += [PSCustomObject]@{
            Subject          = $_.Name
            SubjectMaxSizeMB = if($max_size -ge 0){$max_size}else{"N/A"}
            NumberOfFiles    = $data.count
            TotalDiskUsedMB  = $total_on_disk
            PercentageOfMax  = If($max_size){$([math]::round(($total_on_disk / $max_size ) * 100,2))}else{"N/A"}
    $journal_data | ogv

    Hope that helps