This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RE: Sophos intercept X advanced

Hi Abhimanyu,

"Recently, we deployed Sophos Intercept X Advanced for one of our customers. Now, they are facing system slowdowns. Could you please help me resolve this issue?



This thread was automatically locked due to age.
Parents
  • As a general rule, albeit massively oversimplified. 

    SophosFileScanner.exe - High CPU - Then it's scanning. 
    Enable Debug for SophosFileScanner.exe - "Scan Summaries" logging in ESH to create CSV files of what is scanned under: \programdata\sophos\sophos file scanner\logs\.
    Maybe review these after a problem.  Are certain files/directories being scanned repeatedly. 

    SEDService.exe - Then it's most likely to be compressing the journal files, i.e. .bin -> .xz.  If this is the case the CPU/Disk activity occurs at maximum every 1 min, but most likely every 5 as this is the normal interval in which journals are flushed to disk by SophosED.sys. To disable Journals as a test, disable in the threat protection policy 2 options: Threat Graphs and under the Advanced settings: Event logging.  Does this help? It should certainly quieten down SEDService.exe.  If this helps, it could suggest the number of journaled events is really high.

    SSPService.exe - This process is responsible for processing the various events and behavioral detection. Events come to it primarily from the SophosED.sys driver, such as registry, process, file operations, etc. It decides what to send SophosFileScanner.exe for scanning for example.  

    Info level logging in ESH for SSPService.exe:

    This will log to ssp.log under: \programdata\sophos\endpoint defense\logs\ 

    To access these files via a non-elevated Explorer window, you will need to disable Tamper Protection.  If you use an elevated command prompt, you can navigate to the path without turning off tamper protection on the endpoint.

  • Hi Team,

    Can we uninstall Sophos intercept x advanced without using tamper protection password. I'm using free trial version but trial version got expired.

  • Hi  

    If you cannot find the tamper protection password in Sophos Central, you can use the tamper protection password recovery option. For detailed instructions on uninstalling Intercept X using this method, please refer to the article Sophos Central Endpoint and Server: Recover a tamper protected system

    Abhimanyu Rawat
    Sophos Digital Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply Children
No Data