hi,
since friday we have high cpu with the sophos endpoint defense software process.
windows server 2016
sophos central server core version: 2024.2.2.1
after disabling all the features the cpu is back to normal..
any ideas?
hi,
since friday we have high cpu with the sophos endpoint defense software process.
windows server 2016
sophos central server core version: 2024.2.2.1
after disabling all the features the cpu is back to normal..
any ideas?
I've overlooked that Exchange IS on the list in the auto-exceptions. my fault.
So you need to compare them with the list from the MS Exclusion article and then follow Sophos User930 s suggestions to monitor the behavior. be sure, to let is monitor only for a short time on the server - may cause lot's of logging and may flood your disk.
ok, but does we need also AMSI exceptions or does you know is there a list for AMSI?
i will adjust the policy now with the missing one
you said, the issue appeared suddenly. After a sophos program update?
eventually, Sophos has unintendedly rolled back fixes mentioned here?
it looked like, but we also activated MAPI over HTTPS, because we used RPC a long time with no issues. but we need to use MAPI for now and then AMSI kicks in..
really interesting if anyone has some AMSI exclusions for Exchange.
i have only w3wp.exe as mentioned earlier and the CPU is much better.
will take a look and also use the tool to create some logs tomorrow.
KBA-000007760 suggestions disable AMSI only for Exchange. The rest of the OS is still monitored.
C:\PowerShell>
New-SettingOverride -Name "DisablingAMSIScan" -Component Cafe -Section
HttpRequestFiltering -Parameters ("Enabled=False") -Reason "Testing"
I do not know if there is an exception within Sophos Policies.