This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

High CPU Usage - SEDService.exe offline

Hi, I have an annoying problem with the Sophos Endpoint Agent. When I am connected to the internet everything is fine. However, when I unplug the cable and am offline, the load on SEDService.exe goes way up. I have now noticed that under C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\Dns several .bin files are permanently created 100Mb in size and then zipped as .xz files. This takes a lot of performance and is certainly not the way it should be. Does anyone know the problem or have an idea which setting causes this? As soon as the Internet is available again, the utilization of the process goes down and no more files are created in the path.

There are various blocking entries in the sed log. Do they have anything to do with this?
What could it be?



This thread was automatically locked due to age.
Parents
  • SEDService.exe performs 2 operations here that are related to processing the events.

    1. It creates a trace session and subscribes to the "Microsoft-Windows-DNS-Client" trace provider. So this is the source of most of the the DNS events. I say most as 
    it also gets some DNS events from the "Microsoft-Windows-WinINet" trace provider also shown in the screenshot below but I assume most come from the DNS-Client provider.

    These are stored in the journal files you found and written to by the SOPHOSED.SYS driver. 

    The .bin file is the current one and has a max size of 100MB before a new .bin file (or a new one is created every hour) is created.

    2. Every minute, the SEDService.exe checks if it needs to compress the bin files to xz files the current bin file(s) for each subject, in this case DNS.  There are others, e.g. Registry, Process, etc.. Typically there is only one active .bin file unless you have a lot of events for the specific subject.

    SedService.exe typically doesn't perform work every minute as sophosed.sys typically only flushes new journal data from memory to the .bin file every 5 mins.  However, if there are a lot of events, then sophosed.sys will flush more often to avoid using too much memory.

    So typically you see a spike of work by SEDService.exe every 5 mins, which takes place at most 1 minute after sophosed.sys flushes the latest data.

    So you could do the following:.

    1. Create your own trace session and add the DNS client provider to it, just the logs to a file and after a minute or collection see what you have.

    2. Turn on debug logging of SEDService.exe to get it to log the DNS addresses being recorded.

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense Service]
    "DebugFacilities"=dword:00200000
    "DebugLevel"=dword:00000001

    Make a note of the current values to restore.  Tamper needs to be disabled. SEDService.exe picks up the reg changes automatically. 

    You can then tail the logs for the DNS messages, DNS1 and DNS2.  One is from the WinInet Source, the other is the from the DNS-Client provider.

    gc 'C:\ProgramData\Sophos\Endpoint Defense\Logs\seds.log' -wait -tail 1 | Select-String "Debug DNS"

    I hope this helps.  For DNS to be creating so many events, it seems like something isn't functioning correctly.

    HTH..

Reply Children
No Data