Hi Abhimanyu,
"Recently, we deployed Sophos Intercept X Advanced for one of our customers. Now, they are facing system slowdowns. Could you please help me resolve this issue?
This thread was automatically locked due to age.
Hi Abhimanyu,
"Recently, we deployed Sophos Intercept X Advanced for one of our customers. Now, they are facing system slowdowns. Could you please help me resolve this issue?
HI Vinay A S
Thank you for reaching out to Sophos Community.
Could you please send the screenshot of the CPU and the memory usage from the task manager when the slowdown occurs? Also, is the issue occurring at a particular time or at random?
Hi Abhimanyu,
Please find the attached screenshot for your reference and the issue is occurring randomly.
Hello Vinay A S
We appreciate your reaching out to the Sophos Community Forum.
I appreciate the information, but I want some more information here. Does the device have an SSD or HDD? Sophos highly recommends SSD as the boot drive.
If you have an HDD, refer to this article: https://support.sophos.com/support/s/article/KB-000045001?language=en_US.
Please refer to this article for the system requirements of the product you installed on the device: https://support.sophos.com/support/s/article/KB-000045001?language=en_US.
Please note that the devices don't have any other 3rd party antivirus installed.
To investigate this further, I await a screenshot of the CPU utilization.
Regards,
As a general rule, albeit massively oversimplified.
SophosFileScanner.exe - High CPU - Then it's scanning.
Enable Debug for SophosFileScanner.exe - "Scan Summaries" logging in ESH to create CSV files of what is scanned under: \programdata\sophos\sophos file scanner\logs\.
Maybe review these after a problem. Are certain files/directories being scanned repeatedly. 
SEDService.exe - Then it's most likely to be compressing the journal files, i.e. .bin -> .xz. If this is the case the CPU/Disk activity occurs at maximum every 1 min, but most likely every 5 as this is the normal interval in which journals are flushed to disk by SophosED.sys. To disable Journals as a test, disable in the threat protection policy 2 options: Threat Graphs and under the Advanced settings: Event logging. Does this help? It should certainly quieten down SEDService.exe. If this helps, it could suggest the number of journaled events is really high.
SSPService.exe - This process is responsible for processing the various events and behavioral detection. Events come to it primarily from the SophosED.sys driver, such as registry, process, file operations, etc. It decides what to send SophosFileScanner.exe for scanning for example.
Info level logging in ESH for SSPService.exe:
This will log to ssp.log under: \programdata\sophos\endpoint defense\logs\
To access these files via a non-elevated Explorer window, you will need to disable Tamper Protection. If you use an elevated command prompt, you can navigate to the path without turning off tamper protection on the endpoint.
Please find the attached screenshot for your reference and please do let me know how we can resolve this issue.
That view isn't the best one in TaskManager without expanding at least one of the "Sophos Endpoint Defense Software" items it's hard to say for sure which is which process:
"Sophos System Protection" - SSPService.exe
and
"Sophos Endpoint Defense" - SEDService.exe
have the same description, so unless they are expanded it's hard to say for sure.
In later versions they are now "Service" and "Software" to differentiate as shown below but they used to both be "Software", which is what you have. This is the newer view:
I assume the one with higher memory is SSPService.exe though which makes sense if SophosFileScanner.exe is also using CPU.
For me this looks like Scanning is the first thing to focus on.
Create a CSV of what is being scanned as mentioned in the previous comment.
Thanks.
