Endpoint performance recommendations?

Hi,

we are a new partner coming from an ESET ecosystem, looking to replace it with Sophos for our customers, since we are using XGS and it makes sense to integrate Endpoint as well.

While testing Intercept X in our environment first, my developers are not happy.

Even start of MS SQL SSMS, Visual Studio 2022 and older VS is very slow with all endpoint services active.

Performance is OK when realtime scan and deep learning is disabled (talking about twice the time of load with Sophos)

So my question is, what can I do with this?

I would imagine that running app gets some hash or in first scan and then it is not impacted that much during further scans (at least ESET had it like this and performance was OK).

And yes, I can just exclude SSMS and VS from the scans, but where is the security in that...

Thank You for all suggestions etc.



Edit tags
[edited by: GlennSen at 7:35 AM (GMT -8) on 4 Nov 2024]
Parents
  • Is it slow due to scanning or a large number of events being sent to SSPService.exe for behavioral?

    Do you find the processes running excessively are:

    - SophosFileScanner.exe (worker)

    or

    - SSPService.exe

    or both?

    If SophosFileScanner.exe is busy, turn on, in Endpoint Self Help - SophosFileScanner.exe - Scan Summaries - Debug.  This will create on or more CSV file of items scanned and time taken under C:\ProgramData\Sophos\Sophos File Scanner\Logs\.  This will tell you what is scanned and how long it takes.  A pivot table could be useful.

    If SSPService.exe is busy, turn on Info level logging in ESH for SSPService.exe and check the SSP.log under C:\ProgramData\Sophos\Endpoint Defense\logs\ for the events being sent to the service to process.  This might give a clue as to what events are being processed.

    Thanks.

Reply
  • Is it slow due to scanning or a large number of events being sent to SSPService.exe for behavioral?

    Do you find the processes running excessively are:

    - SophosFileScanner.exe (worker)

    or

    - SSPService.exe

    or both?

    If SophosFileScanner.exe is busy, turn on, in Endpoint Self Help - SophosFileScanner.exe - Scan Summaries - Debug.  This will create on or more CSV file of items scanned and time taken under C:\ProgramData\Sophos\Sophos File Scanner\Logs\.  This will tell you what is scanned and how long it takes.  A pivot table could be useful.

    If SSPService.exe is busy, turn on Info level logging in ESH for SSPService.exe and check the SSP.log under C:\ProgramData\Sophos\Endpoint Defense\logs\ for the events being sent to the service to process.  This might give a clue as to what events are being processed.

    Thanks.

Children