This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos endpoint using high cpu when updating windows

Hi sophos team.
I have an issue with sophos endpoint.
The computer is so lagged when updating windows. Sophos endpoint defense software and sophos file scanner took over 50% cpu, do we have settings to bypass scanning update from window.

The endpoint is the latest version.

task manager



This thread was automatically locked due to age.
Parents
  • I assume all the work is by tiworker.exe which has the "file description" "Windows Modules Installer Worker" which is what this Processes view of TaskManager shows.

    If this process during a Windows update is creating a lot of reg keys/values and files, SSPService is subjected to a lot of regkeycreate and regvaluewrite operations. Plus all the new files. These operations are all journaled.  The activity from SophosFileScanner.exe would suggest many of the files are being scanned as well.

    If you wanted to test the behaviour with tiworker.exe excluded as a process. I.e. it is referenced in OnAccessExcludeProcessPaths under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config once the policy comes down.

    As to if this is a secure approach is another question but, could be tested.

Reply
  • I assume all the work is by tiworker.exe which has the "file description" "Windows Modules Installer Worker" which is what this Processes view of TaskManager shows.

    If this process during a Windows update is creating a lot of reg keys/values and files, SSPService is subjected to a lot of regkeycreate and regvaluewrite operations. Plus all the new files. These operations are all journaled.  The activity from SophosFileScanner.exe would suggest many of the files are being scanned as well.

    If you wanted to test the behaviour with tiworker.exe excluded as a process. I.e. it is referenced in OnAccessExcludeProcessPaths under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config once the policy comes down.

    As to if this is a secure approach is another question but, could be tested.

Children
No Data