This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow performance on Sophos Endpoint protected systems


we're having general problems with the endpoints that are protected by sophos endpoint.

We have all computer connected to sophos central and in general we did not have any security issues, but we see that some activities became very slow (mainly saving on network drives).

We tested disabling the EP on one computer and that was much faster. As i cannot expect that this is the solution, I'd like to ask for some help on changing the standard sophos central criteria for some more lightweight setup that will anyway guarantee a safe environment.

Let me know,


This thread was automatically locked due to age.
  • Can you confirm if you uncheck "Remote files" under "Enable real-time scanning" in the threat protection policy linked to a computer with the issue, the problem goes away?

  • I confirm that I do have real time scanner disabled in the policy, but things seem not to change. when we save it anyway behaves slowly.

    We even added the known drive shares on the servers we have in the exceptions that should not have any policy of protection applied. It is dangerous but we'd like to solve the problem and aftet that decide what to do.

    We think that it may be some centralized service that may be particularly intensive or slow to answer causing this problem.

    We do have older machines with Win7 that we still use as temporary workstations in safe areas that do not have this issue.

  • You're not experiencing this issue, are you?

    CTO, Convergent Information Security Solutions, LLC

    Sophos Platinum Partner


    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • If real-time scanning is off, then I would try disabling 2 other possibilities:

    1. Disable Threat Graph Creation:

    2. Disable anti-ransomware/exploit mitigation and Event logging:

    Disabling the anti-ransomeware/exploit mitigation will requite a restart.  The endpoint will get a pop-up notification and it will be in the list of event in the UI.

    The other 2 options will disable journaling of data which can be intensive. Can I assume you have an SSD drive in these computers?

    If the problem still persists, with realtime scanning and the above 3 options and a reboot, that is quite interesting.  I would suggest if you haven't already, creating a new test threat protection policy and link it to just one or two test clients.