RE: Sophos intercept X advanced

HI Vinay A S 

Thank you for reaching out to Sophos Community.

Could you please send the screenshot of the CPU and the memory usage from the task manager when the slowdown occurs? Also, is the issue occurring at a particular time or at random?

Will share the CPU and the memory usage from the task manager shortly.

Hello Vinay A S 

We appreciate your reaching out to the Sophos Community Forum.

I appreciate the information, but I want some more information here. Does the device have an SSD or HDD? Sophos highly recommends SSD as the boot drive. 

If you have an HDD, refer to this article: https://support.sophos.com/support/s/article/KB-000045001?language=en_US.

Please refer to this article for the system requirements of the product you installed on the device: https://support.sophos.com/support/s/article/KB-000045001?language=en_US.

Please note that the devices don't have any other 3rd party antivirus installed.

To investigate this further, I await a screenshot of the CPU utilization.

Regards, 

Rutvik Chavda                    

Please find the attached screenshot  for your reference and please do let me know how we can resolve this issue.

That view isn't the best one in TaskManager without expanding at least one of the "Sophos Endpoint Defense Software" items it's hard to say for sure which is which process:

"Sophos System Protection" - SSPService.exe
and
"Sophos Endpoint Defense" - SEDService.exe 
have the same description, so unless they are expanded it's hard to say for sure.

In later versions they are now "Service" and "Software" to differentiate as shown below but they used to both be "Software", which is what you have.  This is the newer view:

I assume the one with higher memory is SSPService.exe though which makes sense if SophosFileScanner.exe is also using CPU.

For me this looks like Scanning is the first thing to focus on.

Create a CSV of what is being scanned as mentioned in the previous comment.

Thanks.

Hi Rutvik Chavda ,

Customer is using SSD and also they are not using 3rd party antivirus solution.

Did you manage to obtain a CSV of what is being scanned having enabled "Debug" level for "Scan Summaries" for the process: SophosFileScanner.exe, under the logging section in Endpoint Self Help (ESH)?

You could equally enable the CSV creation by running the following commands as ESH essentially just sets and unsets reg values, e.g.:

New-ItemProperty -Path "HKLM:\SOFTWARE\Sophos\Logging\SFS\Scan Summaries" -Name "LogLevel" -Value 0 -Force

Disable it after a few minutes during the issue with:

Remove-ItemProperty -Path "HKLM:\SOFTWARE\Sophos\Logging\SFS\Scan Summaries" -Name "LogLevel" -Force

You can then consider the newly created CSV files under: C:\ProgramData\Sophos\Sophos File Scanner\Logs\

Did you manage to obtain a CSV of what is being scanned having enabled "Debug" level for "Scan Summaries" for the process: SophosFileScanner.exe, under the logging section in Endpoint Self Help (ESH)?

You could equally enable the CSV creation by running the following commands as ESH essentially just sets and unsets reg values, e.g.:

New-ItemProperty -Path "HKLM:\SOFTWARE\Sophos\Logging\SFS\Scan Summaries" -Name "LogLevel" -Value 0 -Force

Disable it after a few minutes during the issue with:

Remove-ItemProperty -Path "HKLM:\SOFTWARE\Sophos\Logging\SFS\Scan Summaries" -Name "LogLevel" -Force

You can then consider the newly created CSV files under: C:\ProgramData\Sophos\Sophos File Scanner\Logs\

Hi Team,

When real-time scanning is disabled in Sophos Intercept X Advanced, it will automatically re-enable after 4 hours?

If the policy defined in Central is enabled, the user locally overrides the policy (should require tamper protection password to do so) and disables a feature such as real-time scanning, this will revert back to on in 4 hours. The user would have to keep overriding locally.

Also, when overridden, changes the policies in Central do not take effect.