Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 12 subscribers
  • Views 3747 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Defense Software using High CPU

ankit patel2

Running sophos agent on windows server. 

Every few days after reboot using high CPU over 25-30%



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to ankit patel2

    Does the Sophos System Protection service also show high CPU usage? 

    If you proceed with the component isolation steps in the following article, does disabling any features result in lower CPU usage?
    - https://support.sophos.com/support/s/article/KB-000036572?language=en_US 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    Hi Kushal,

    There is no SSP service using high CPU.

  • 0 in reply to Qoosh

    I have tried using isolation but doesn't helping to reducing high CPU. 

  • 0 in reply to ankit patel2

    SED Service does checks every 1 min if it needs to compress journal files.  If there is a lot of changes to the system, then it could be a lot of journals are being created.

    I would suggest set under:

    \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service

    DebugLevel to 1 from 2

    Then check the seds.log file under: C:\ProgramData\Sophos\Endpoint Defense\Logs\

    Is it compressing archives constantly? Look for lines that contain:

    "Debug Compressed"

    E.g.

    2023-04-25T13:39:01.967Z SEDS EvtJrn Debug Compressed 220752 bytes to 15848 bytes in 90380 usecs percentage: 92 \Device\HarddiskVolume3\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Process\Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.bin
    2023-04-25T13:39:01.969Z SEDS EvtJrn Debug Compressed 1 files, deleted 0 files, and ignored 25 files
    2023-04-25T13:40:01.881Z SEDS EvtJrn Debug Compressed 0 files, deleted 0 files, and ignored 25 files

    Here the now previous current journal file Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.bin has been compressed to the file: Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.xz.

    The following perf trace could be useful:

    typeperf -si 2 "\Process(SEDService)\% Processor Time" "\Sophos.SED Event Journal indexed stats(_Total)\Events in the memory queue" -sc 450 -o C:\sophos_SEDService_Usage.csv

    might be useful.

    If it is journal management, the following PS might be interesting to get a feel for the lifetime of the files.

    $journal_data =@()

gci $env:ProgramData"\Sophos\Endpoint Defense\Data\Event Journals\SophosED" | % {

    $data = gci -include *.xz $_.FullName -Recurse | Measure-Object -Property Length -sum | select count, sum

    $max_size = Get-ItemPropertyValue -ea SilentlyContinue "HKLM:\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Subjects\$($_.Name)" -name MaxDiskUsageMB

    $total_on_disk = $([math]::round($data.sum / 1MB, 2))

    $journal_data += [PSCustomObject]@{

        Subject          = $_.Name

        SubjectMaxSizeMB = if($max_size -ge 0){$max_size}else{"N/A"}

        NumberOfFiles    = $data.count

        TotalDiskUsedMB  = $total_on_disk

        PercentageOfMax  = If($max_size){$([math]::round(($total_on_disk / $max_size ) * 100,2))}else{"N/A"}

    }

}

$journal_data | ogv

    Hope that helps

Unfiltered HTML