Endpoint performance recommendations?

Hi,

we are a new partner coming from an ESET ecosystem, looking to replace it with Sophos for our customers, since we are using XGS and it makes sense to integrate Endpoint as well.

While testing Intercept X in our environment first, my developers are not happy.

Even start of MS SQL SSMS, Visual Studio 2022 and older VS is very slow with all endpoint services active.

Performance is OK when realtime scan and deep learning is disabled (talking about twice the time of load with Sophos)

So my question is, what can I do with this?

I would imagine that running app gets some hash or in first scan and then it is not impacted that much during further scans (at least ESET had it like this and performance was OK).

And yes, I can just exclude SSMS and VS from the scans, but where is the security in that...

Thank You for all suggestions etc.

Top Replies

Sophos User930 1 month ago +1

Is it slow due to scanning or a large number of events being sent to SSPService.exe for behavioral? Do you find the processes running excessively are: - SophosFileScanner.exe (worker) or - SSPService…

0 GlennSen 1 month ago

Thank you for reaching out to the community forum.

By default, an automatic exclusion is added for SQL to avoid, which is a recommended exclusion to make SQL work smoothly; you can check this documentation for Automatic Exclusion of third-party products. You can try adding this one and observe the behavior of the device when running SQL.

For Visual Studio, since it's used for developer use, We're expecting that it would be busy and we're accessing multiple files so an Exclusion by excluding them on On-demand scanning and choosing scheduled scan.

Glenn ArchieSeñas (GlennSen)

Global Community Support Engineer

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 David Kucera 1 month ago in reply to GlennSen

Hello Glenn,

thank You for quick response.

To clarify MS SQL SSMS does not equal MS SQL Server instance.

But thank You for the recommendations.

Just to be sure - is process exclusion effective for all used files?
Since file exclusion list would take me ages to define and that is not how I imagine modern security product to work, while I appreciate the thoroughness of scans.

David
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Sophos User930 1 month ago

Is it slow due to scanning or a large number of events being sent to SSPService.exe for behavioral?

Do you find the processes running excessively are:

- SophosFileScanner.exe (worker)

or

- SSPService.exe

or both?

If SophosFileScanner.exe is busy, turn on, in Endpoint Self Help - SophosFileScanner.exe - Scan Summaries - Debug. This will create on or more CSV file of items scanned and time taken under C:\ProgramData\Sophos\Sophos File Scanner\Logs\. This will tell you what is scanned and how long it takes. A pivot table could be useful.

If SSPService.exe is busy, turn on Info level logging in ESH for SSPService.exe and check the SSP.log under C:\ProgramData\Sophos\Endpoint Defense\logs\ for the events being sent to the service to process. This might give a clue as to what events are being processed.

Thanks.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Qoosh 1 month ago in reply to David Kucera

Process exclusions will prevent scanning on the files accessed by the process, as well as any network communication that the process performs.

Behavioural scanning will continue to take place.

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 David Kucera 26 days ago in reply to Sophos User930

Thank You for detailed recommendation!

I will try to check this and test more, once I get to it
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel