Sophos Endpoint Endpoint Defence Software High RAM Usage

Hi Nancy Ngulube ,

Thank you for reaching out to the Sophos Community Forum.

Can you please confirm which service is consuming higher RAM usage than normal?

I also suggest starting with a component isolation, and let us know if disabling any of the features makes any difference with the RAM usage.

Hi Gladys The service consuming higher RAM is the Sophos System Protection Service.

I will try disabling this component then see how it performance improves.

Are you running 2023.1 or 2022.4 of the Core Agent?

There are improvements in 2023.1 to prevent SSPService.exe being sent so much data from SophosFileScanner.exe, especially scanning archives which could take place after a scheduled scan for example if scan inside archives are enabled. If you say, that after restarting the service the memory is fine, until after a scheduled scan that would fit.

There is also a change in 2023.1 to not load as many interpreters which in 2022.4 is based on the number of cores. With 2023.1 installed, you still need boot.ssp.lua.coroutines.enabled set to 1 under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EndpointFlags\CurrentBootFlags
For this change to be enabled. You would have to have a lot of cores and the CPU usage to be high right from start-up of the service. If you restart the Sophos System Protection service so the SSPService.exe process restarts, if the mem usage is fine, it is unlikely this is the issue.

If it isn't either of the above. The other thing I would suggest is enabling debug logging for a short while for sspservice.exe which can be done by launching Endpoint Self Help, sspservice.exe is really an event processor, so that log (ssp.log) at that level will detail the events. The mem growth could be a queue of events to be processed.

Are you running 2023.1 or 2022.4 of the Core Agent?

There are improvements in 2023.1 to prevent SSPService.exe being sent so much data from SophosFileScanner.exe, especially scanning archives which could take place after a scheduled scan for example if scan inside archives are enabled. If you say, that after restarting the service the memory is fine, until after a scheduled scan that would fit.

There is also a change in 2023.1 to not load as many interpreters which in 2022.4 is based on the number of cores. With 2023.1 installed, you still need boot.ssp.lua.coroutines.enabled set to 1 under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EndpointFlags\CurrentBootFlags
For this change to be enabled. You would have to have a lot of cores and the CPU usage to be high right from start-up of the service. If you restart the Sophos System Protection service so the SSPService.exe process restarts, if the mem usage is fine, it is unlikely this is the issue.

If it isn't either of the above. The other thing I would suggest is enabling debug logging for a short while for sspservice.exe which can be done by launching Endpoint Self Help, sspservice.exe is really an event processor, so that log (ssp.log) at that level will detail the events. The mem growth could be a queue of events to be processed.