Hi Abhimanyu,
"Recently, we deployed Sophos Intercept X Advanced for one of our customers. Now, they are facing system slowdowns. Could you please help me resolve this issue?
Hi Abhimanyu,
"Recently, we deployed Sophos Intercept X Advanced for one of our customers. Now, they are facing system slowdowns. Could you please help me resolve this issue?
As a general rule, albeit massively oversimplified.
SophosFileScanner.exe - High CPU - Then it's scanning.
Enable Debug for SophosFileScanner.exe - "Scan Summaries" logging in ESH to create CSV files of what is scanned under: \programdata\sophos\sophos file scanner\logs\.
Maybe review these after a problem. Are certain files/directories being scanned repeatedly. 
SEDService.exe - Then it's most likely to be compressing the journal files, i.e. .bin -> .xz. If this is the case the CPU/Disk activity occurs at maximum every 1 min, but most likely every 5 as this is the normal interval in which journals are flushed to disk by SophosED.sys. To disable Journals as a test, disable in the threat protection policy 2 options: Threat Graphs and under the Advanced settings: Event logging. Does this help? It should certainly quieten down SEDService.exe. If this helps, it could suggest the number of journaled events is really high.
SSPService.exe - This process is responsible for processing the various events and behavioral detection. Events come to it primarily from the SophosED.sys driver, such as registry, process, file operations, etc. It decides what to send SophosFileScanner.exe for scanning for example.
Info level logging in ESH for SSPService.exe:
This will log to ssp.log under: \programdata\sophos\endpoint defense\logs\
To access these files via a non-elevated Explorer window, you will need to disable Tamper Protection. If you use an elevated command prompt, you can navigate to the path without turning off tamper protection on the endpoint.
As a general rule, albeit massively oversimplified.
SophosFileScanner.exe - High CPU - Then it's scanning.
Enable Debug for SophosFileScanner.exe - "Scan Summaries" logging in ESH to create CSV files of what is scanned under: \programdata\sophos\sophos file scanner\logs\.
Maybe review these after a problem. Are certain files/directories being scanned repeatedly.
SEDService.exe - Then it's most likely to be compressing the journal files, i.e. .bin -> .xz. If this is the case the CPU/Disk activity occurs at maximum every 1 min, but most likely every 5 as this is the normal interval in which journals are flushed to disk by SophosED.sys. To disable Journals as a test, disable in the threat protection policy 2 options: Threat Graphs and under the Advanced settings: Event logging. Does this help? It should certainly quieten down SEDService.exe. If this helps, it could suggest the number of journaled events is really high.
SSPService.exe - This process is responsible for processing the various events and behavioral detection. Events come to it primarily from the SophosED.sys driver, such as registry, process, file operations, etc. It decides what to send SophosFileScanner.exe for scanning for example.
Info level logging in ESH for SSPService.exe:
This will log to ssp.log under: \programdata\sophos\endpoint defense\logs\
To access these files via a non-elevated Explorer window, you will need to disable Tamper Protection. If you use an elevated command prompt, you can navigate to the path without turning off tamper protection on the endpoint.