sophos endpoint defense software exchange 2016

yes it´s uninstalled, i think it has to do something with enabling MAPI over HTTP. and maybe AMSI?

what protection is behind sophos endpoint defense(sophos system protection service) ? 

kind regards,

sebastian

If you expand it:

If you say that it's the "sophos endpoint defense software" process then that is the "Sophos System Protection Service" service, which is the sspservice.exe:

Is the SSPService.exe using high CPU?

If you disable AMSI in policy (or using the local UI as a test, having disabled Tamper Protection), does the workload go down?

Is this the cause:

https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/ba-p/2572371

Thanks

have you execpted the folders and processes that MS wants?

https://learn.microsoft.com/en-us/exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2016

it's quite a huge list so it´'s possible, that not all items have been excluded.

Have no performance issues with Exchange and Sophos Endpoint.

ok, i am using the automatic exclusions. so it´s better to create the exclusions manually from that list?

Yes. Exchange is not included in the auto-exceptions https://support.sophos.com/support/s/article/KBA-000003338?language=en_US

a snip of such exceptions.

in the end, Sophos will not "know" much of what Exchange is doing but the OS is protected and commands run by admin accounts etc. are monitored.

OK, strange, look at this?

just a Snippet..

i have no problems over years, started on friday...

If auto-exclusions are on in policy, it will see that the uninstall key for certain products, like Exchange, SQL Server, are installed and add some basic exclusions.

It's not clear to me where the work is coming from, only something like an ETL trace will tell you in significant enough details if you can capture the high CPU usage.

I've overlooked that Exchange IS on the list in the auto-exceptions. my fault.

So you need to compare them with the list from the MS Exclusion article and then follow Sophos User930 s suggestions to monitor the behavior. be sure, to let is monitor only for a short time on the server - may cause lot's of logging and may flood your disk.

ok, but does we need also AMSI exceptions or does you know is there a list for AMSI?

i will adjust the policy now with the missing one

you said, the issue appeared suddenly. After a sophos program update?

eventually, Sophos has unintendedly rolled back fixes mentioned here?

support.sophos.com/.../KBA-000007760

it looked like, but we also activated MAPI over HTTPS, because we used RPC a long time with no issues. but we need to use MAPI for now and then AMSI kicks in..

really interesting if anyone has some AMSI exclusions for Exchange.

i have only w3wp.exe as mentioned earlier and the CPU is much better.

will take a look and also use the tool to create some logs tomorrow.

it looked like, but we also activated MAPI over HTTPS, because we used RPC a long time with no issues. but we need to use MAPI for now and then AMSI kicks in..

really interesting if anyone has some AMSI exclusions for Exchange.

i have only w3wp.exe as mentioned earlier and the CPU is much better.

will take a look and also use the tool to create some logs tomorrow.

KBA-000007760 suggestions disable AMSI only for Exchange. The rest of the OS is still monitored.

C:\PowerShell> New-SettingOverride -Name "DisablingAMSIScan" -Component Cafe -Section HttpRequestFiltering -Parameters ("Enabled=False") -Reason "Testing"

I do not know if there is an exception within Sophos Policies.