Sophos Endpoint Defense Software using High CPU

Hi ankit,

Thanks for reaching out to the Sophos Community Forum. 

Do you know if any scheduled scans may be taking place in the background causing the increase in CPU usage? 

When you open task manager and expand out the processes showing high CPU usage, what are the underlying executables shown?

No Schedule scan. 

Does the Sophos System Protection service also show high CPU usage? 

If you proceed with the component isolation steps in the following article, does disabling any features result in lower CPU usage?
- https://support.sophos.com/support/s/article/KB-000036572?language=en_US 

Hi Kushal,

There is no SSP service using high CPU.

I have tried using isolation but doesn't helping to reducing high CPU. 

SED Service does checks every 1 min if it needs to compress journal files.  If there is a lot of changes to the system, then it could be a lot of journals are being created.

I would suggest set under:

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service

DebugLevel to 1 from 2

Then check the seds.log file under: C:\ProgramData\Sophos\Endpoint Defense\Logs\

Is it compressing archives constantly? Look for lines that contain:

"Debug Compressed"

E.g.

2023-04-25T13:39:01.967Z SEDS EvtJrn Debug Compressed 220752 bytes to 15848 bytes in 90380 usecs percentage: 92 \Device\HarddiskVolume3\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Process\Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.bin
2023-04-25T13:39:01.969Z SEDS EvtJrn Debug Compressed 1 files, deleted 0 files, and ignored 25 files
2023-04-25T13:40:01.881Z SEDS EvtJrn Debug Compressed 0 files, deleted 0 files, and ignored 25 files

Here the now previous current journal file Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.bin has been compressed to the file: Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.xz.

The following perf trace could be useful:

typeperf -si 2 "\Process(SEDService)\% Processor Time" "\Sophos.SED Event Journal indexed stats(_Total)\Events in the memory queue" -sc 450 -o C:\sophos_SEDService_Usage.csv

might be useful.

If it is journal management, the following PS might be interesting to get a feel for the lifetime of the files.

$journal_data =@()

gci $env:ProgramData"\Sophos\Endpoint Defense\Data\Event Journals\SophosED" | % {

    $data = gci -include *.xz $_.FullName -Recurse | Measure-Object -Property Length -sum | select count, sum

    $max_size = Get-ItemPropertyValue -ea SilentlyContinue "HKLM:\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Subjects\$($_.Name)" -name MaxDiskUsageMB

    $total_on_disk = $([math]::round($data.sum / 1MB, 2))

    $journal_data += [PSCustomObject]@{

        Subject          = $_.Name

        SubjectMaxSizeMB = if($max_size -ge 0){$max_size}else{"N/A"}

        NumberOfFiles    = $data.count

        TotalDiskUsedMB  = $total_on_disk

        PercentageOfMax  = If($max_size){$([math]::round(($total_on_disk / $max_size ) * 100,2))}else{"N/A"}

    }

}

$journal_data | ogv

Hope that helps

SED Service does checks every 1 min if it needs to compress journal files.  If there is a lot of changes to the system, then it could be a lot of journals are being created.

I would suggest set under:

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service

DebugLevel to 1 from 2

Then check the seds.log file under: C:\ProgramData\Sophos\Endpoint Defense\Logs\

Is it compressing archives constantly? Look for lines that contain:

"Debug Compressed"

E.g.

2023-04-25T13:39:01.967Z SEDS EvtJrn Debug Compressed 220752 bytes to 15848 bytes in 90380 usecs percentage: 92 \Device\HarddiskVolume3\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Process\Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.bin
2023-04-25T13:39:01.969Z SEDS EvtJrn Debug Compressed 1 files, deleted 0 files, and ignored 25 files
2023-04-25T13:40:01.881Z SEDS EvtJrn Debug Compressed 0 files, deleted 0 files, and ignored 25 files

Here the now previous current journal file Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.bin has been compressed to the file: Process-000000000104d954-000000000106c12a-133268993295475112-133269031865559815.xz.

The following perf trace could be useful:

typeperf -si 2 "\Process(SEDService)\% Processor Time" "\Sophos.SED Event Journal indexed stats(_Total)\Events in the memory queue" -sc 450 -o C:\sophos_SEDService_Usage.csv

might be useful.

If it is journal management, the following PS might be interesting to get a feel for the lifetime of the files.

$journal_data =@()

gci $env:ProgramData"\Sophos\Endpoint Defense\Data\Event Journals\SophosED" | % {

    $data = gci -include *.xz $_.FullName -Recurse | Measure-Object -Property Length -sum | select count, sum

    $max_size = Get-ItemPropertyValue -ea SilentlyContinue "HKLM:\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Subjects\$($_.Name)" -name MaxDiskUsageMB

    $total_on_disk = $([math]::round($data.sum / 1MB, 2))

    $journal_data += [PSCustomObject]@{

        Subject          = $_.Name

        SubjectMaxSizeMB = if($max_size -ge 0){$max_size}else{"N/A"}

        NumberOfFiles    = $data.count

        TotalDiskUsedMB  = $total_on_disk

        PercentageOfMax  = If($max_size){$([math]::round(($total_on_disk / $max_size ) * 100,2))}else{"N/A"}

    }

}

$journal_data | ogv

Hope that helps