This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Defense Software using High CPU

Running sophos agent on windows server. 

Every few days after reboot using high CPU over 25-30%



This thread was automatically locked due to age.
Parents
  • Hi ankit,

    Thanks for reaching out to the Sophos Community Forum. 

    Do you know if any scheduled scans may be taking place in the background causing the increase in CPU usage? 

    When you open task manager and expand out the processes showing high CPU usage, what are the underlying executables shown?

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Does the Sophos System Protection service also show high CPU usage? 

    If you proceed with the component isolation steps in the following article, does disabling any features result in lower CPU usage?
    - https://support.sophos.com/support/s/article/KB-000036572?language=en_US 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Kushal,

    There is no SSP service using high CPU.

  • I have tried using isolation but doesn't helping to reducing high CPU. 

  • SED Service does checks every 1 min if it needs to compress journal files.  If there is a lot of changes to the system, then it could be a lot of journals are being created.

    I would suggest set under:

    \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service

    DebugLevel to 1 from 2

    Then check the seds.log file under: C:\ProgramData\Sophos\Endpoint Defense\Logs\

    Is it compressing archives constantly? Look for lines that contain:

    "Debug Compressed"

    E.g.

    2023-04-25T13:39:01.967Z SEDS EvtJrn Debug Compressed 220752 bytes to 15848 bytes in 90380 usecs percentage: 92 \Device\HarddiskVolume3\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Process\Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.bin
    2023-04-25T13:39:01.969Z SEDS EvtJrn Debug Compressed 1 files, deleted 0 files, and ignored 25 files
    2023-04-25T13:40:01.881Z SEDS EvtJrn Debug Compressed 0 files, deleted 0 files, and ignored 25 files

    Here the now previous current journal file Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.bin has been compressed to the file: Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.xz.

    The following perf trace could be useful:

    typeperf -si 2 "\Process(SEDService)\% Processor Time" "\Sophos.SED Event Journal indexed stats(_Total)\Events in the memory queue" -sc 450 -o C:\sophos_SEDService_Usage.csv

    might be useful.

    If it is journal management, the following PS might be interesting to get a feel for the lifetime of the files.

    $journal_data =@()
    
    gci $env:ProgramData"\Sophos\Endpoint Defense\Data\Event Journals\SophosED" | % {
    
        $data = gci -include *.xz $_.FullName -Recurse | Measure-Object -Property Length -sum | select count, sum
    
        $max_size = Get-ItemPropertyValue -ea SilentlyContinue "HKLM:\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Subjects\$($_.Name)" -name MaxDiskUsageMB
    
        $total_on_disk = $([math]::round($data.sum / 1MB, 2))
    
        $journal_data += [PSCustomObject]@{
    
            Subject          = $_.Name
    
            SubjectMaxSizeMB = if($max_size -ge 0){$max_size}else{"N/A"}
    
            NumberOfFiles    = $data.count
    
            TotalDiskUsedMB  = $total_on_disk
    
            PercentageOfMax  = If($max_size){$([math]::round(($total_on_disk / $max_size ) * 100,2))}else{"N/A"}
    
        }
    
    }
    
    $journal_data | ogv
    
    

    Hope that helps

Reply
  • SED Service does checks every 1 min if it needs to compress journal files.  If there is a lot of changes to the system, then it could be a lot of journals are being created.

    I would suggest set under:

    \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service

    DebugLevel to 1 from 2

    Then check the seds.log file under: C:\ProgramData\Sophos\Endpoint Defense\Logs\

    Is it compressing archives constantly? Look for lines that contain:

    "Debug Compressed"

    E.g.

    2023-04-25T13:39:01.967Z SEDS EvtJrn Debug Compressed 220752 bytes to 15848 bytes in 90380 usecs percentage: 92 \Device\HarddiskVolume3\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Process\Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.bin
    2023-04-25T13:39:01.969Z SEDS EvtJrn Debug Compressed 1 files, deleted 0 files, and ignored 25 files
    2023-04-25T13:40:01.881Z SEDS EvtJrn Debug Compressed 0 files, deleted 0 files, and ignored 25 files

    Here the now previous current journal file Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.bin has been compressed to the file: Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.xz.

    The following perf trace could be useful:

    typeperf -si 2 "\Process(SEDService)\% Processor Time" "\Sophos.SED Event Journal indexed stats(_Total)\Events in the memory queue" -sc 450 -o C:\sophos_SEDService_Usage.csv

    might be useful.

    If it is journal management, the following PS might be interesting to get a feel for the lifetime of the files.

    $journal_data =@()
    
    gci $env:ProgramData"\Sophos\Endpoint Defense\Data\Event Journals\SophosED" | % {
    
        $data = gci -include *.xz $_.FullName -Recurse | Measure-Object -Property Length -sum | select count, sum
    
        $max_size = Get-ItemPropertyValue -ea SilentlyContinue "HKLM:\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Subjects\$($_.Name)" -name MaxDiskUsageMB
    
        $total_on_disk = $([math]::round($data.sum / 1MB, 2))
    
        $journal_data += [PSCustomObject]@{
    
            Subject          = $_.Name
    
            SubjectMaxSizeMB = if($max_size -ge 0){$max_size}else{"N/A"}
    
            NumberOfFiles    = $data.count
    
            TotalDiskUsedMB  = $total_on_disk
    
            PercentageOfMax  = If($max_size){$([math]::round(($total_on_disk / $max_size ) * 100,2))}else{"N/A"}
    
        }
    
    }
    
    $journal_data | ogv
    
    

    Hope that helps

Children
No Data