hi,
since friday we have high cpu with the sophos endpoint defense software process.
windows server 2016
sophos central server core version: 2024.2.2.1
after disabling all the features the cpu is back to normal..
any ideas?
hi,
since friday we have high cpu with the sophos endpoint defense software process.
windows server 2016
sophos central server core version: 2024.2.2.1
after disabling all the features the cpu is back to normal..
any ideas?
It is the main event processor. It implements behavioral protection so processes all the incoming events to help with this. It doesn’t do scanning, it decides what to scan. For example a process opens a file. The Sophosed.sys driver passes this event to sspservice. One job would be for it to decide if the file needs scanning, if so it makes a request of sophosfilescanner.
if it’s using high cpu, it must be getting a lot of events. If you enable Info level logging for sspservice.exe in Endpoint Self Help. After some activity check the ssp.log under programdata \ endpoint defense\logs to see the events it is being sent. Registry/file/ip, etc.. the details should be int be json.
The LuaTelemetry-*.dat files SSPService.exe maintain might also provide a useful summary of events seen for a sspservice.exe session. For example, what are the highest events for some of the previous sessions if you run the following in an admin PS prompt or admin ISE window:
dir $env:programdata"\Sophos\Endpoint Defense\Data\LuaTelemetry\" -Filter LuaTelemetry-*.dat | % { write-host "Processing:" $_.fullname $data = $(gc $_.fullname) | ConvertFrom-Json $event_object = @() foreach ($index in $data.events.perEvent){ $event_object += [PSCustomObject]@{ Event = $index.event Count = $index.count TotalTimeMicroSeconds = $index.totalTime TotalTimeSec = $index.totalTime / 1000000 } } $event_object | Sort-Object -Property Count -Descending | Select-Object -First 20 | Format-Table -AutoSize Write-host $data.summary.eventCount "events in" $([datetime]::FromFileTime( $data.summary.endTime) - [datetime]::FromFileTime($data.summary.beginTime)) }
FileOpen is typically the highest by maybe there are a lot of IP events?
hi,
me again.
i think this must be a special problem, because since monday i have some problems on our DCs as well.
lsass.exe high CPU
disabled AMSI and Adaptive Attack Protection => reboot => CPU normal.
very strange, no changes, no win updates, just sophos did some updates..
Adaptive Attack Protection shouldn't be causing extra work if it's not invoked.
Some details: https://support.sophos.com/support/s/article/KBA-000008632
it's an extra set of behavioural rules that are enabled as needed. .
You can manually enabled it for a period of time if you suspect the computer is compromised:
I suspect it was the act of rebooting rather than those features.
I would run:
wpr.exe -start GeneralProfile
Leave that running for 1 minute before running;
wpr.exe -stop C:\trace.etl
and review with Windows Performance Analyzer.
have you execpted the folders and processes that MS wants?
it's quite a huge list so it´'s possible, that not all items have been excluded.
Have no performance issues with Exchange and Sophos Endpoint.
ok, i am using the automatic exclusions. so it´s better to create the exclusions manually from that list?
Yes. Exchange is not included in the auto-exceptions https://support.sophos.com/support/s/article/KBA-000003338?language=en_US
a snip of such exceptions.
in the end, Sophos will not "know" much of what Exchange is doing but the OS is protected and commands run by admin accounts etc. are monitored.
OK, strange, look at this?
just a Snippet..
i have no problems over years, started on friday...
If auto-exclusions are on in policy, it will see that the uninstall key for certain products, like Exchange, SQL Server, are installed and add some basic exclusions.
It's not clear to me where the work is coming from, only something like an ETL trace will tell you in significant enough details if you can capture the high CPU usage.