High CPU Usage - SEDService.exe offline

Question

Hi, I have an annoying problem with the Sophos Endpoint Agent. When I am connected to the internet everything is fine. However, when I unplug the cable and am offline, the load on SEDService.exe goes way up. I have now noticed that under C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Dns several .bin files are permanently created 100Mb in size and then zipped as .xz files. This takes a lot of performance and is certainly not the way it should be. Does anyone know the problem or have an idea which setting causes this? As soon as the Internet is available again, the utilization of the process goes down and no more files are created in the path. 
 There are various blocking entries in the sed log. Do they have anything to do with this? What could it be?

Mori Bir · Accepted Answer

Okay wow. The whole problem is really exciting, but we have now found the solution. Many thanks to you for your help. Of course you also want to know what the problem was. It was the Windows time service W32Time which, in conjunction with DNS queries and Sophos, led to this load. The timeserver and settings set to the clients via a GPO. Regkey Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient ResolvePeerBackoffMinutes value which unfortunately was set to 0. ResolvePeerBackoffMinutes: This value, specified in minutes, controls how long W32time waits until it tries to resolve a DNS name again after a failed attempt. The default value is 15 minutes. As a result, DNS queries were repeatedly started which then resulted in the problem. Set the value back to the default 15 minutes and everything is fine.

High CPU Usage - SEDService.exe offline

Top Replies