Thread Info
  • State Not Answered
  • Replies 3 replies
  • Subscribers 15 subscribers
  • Views 184 views
  • Users 0 members are here
Options
Suggested

Sophos Endpoint Defence Service High CPU + Unable to update

GiorgIT

Hi everyone,

I received a ticket from a user reporting a decrease in the performance of his PC. Checking in task manager I found out that the “Sophos Endpoint Defence Service” is constantly using about 20% of CPU.

Searching for troubleshooting I found out that the “Endpoint Agent” client has not updated in the last month and the button for manually update doesn’t work (the latest updates date back to 03/12/2024 and today that I’m writing this post is 08/01/2025).

After that I tried to uninstall the client witch Sophos Central (everything is working, I have access to the central, the password with this client is working and gave me admin access) but I can’t disable the Tamper Protection because I can’t select the “Override Sophos Central Policy for up to 4 hours to troubleshoot”.

On the central side, except for the “last Sophos Central activity” everything is installed and working fine.

What should I do? Are these two problematics related somehow?

Windows 10 Pro          19045

Core Agent                  2024.2.4.1.0

Sophos Intercept X      2024.2.4.1.0

 

Thank you in advance,

Giorgio

  • 0

    Thank you for reaching out to the community forum.

    When you uninstall the endpoint, did you use the normal method, or did you use Sophos Zap to remove the software?
    Also, What is the current status of the endpoint? When you check its UI, are you seeing any alerts? Have you tried to manually input the TP password on the UI?

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0

    If the device is reporting in to Sophos Central correctly and displays a recent "Last active" timestamp, I'd suggest trying to disable Tamper Protection from Sophos Central. 

    This can be done by navigating into the device entry from Sophos Central:

    You can also use "SEDcli.exe" to interact with Tamper Protection on the device. Additional information can be found in the following article. 
    - Use SEDcli.exe to locally manage Tamper Protection settings

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0

    There are 2 with a similar name in Task Manager Processes view:

    The top is SEDService.exe, the second is SSPService.exe. Might be worth just confirming the process.

    SEDService.exe subscribes to a few trace providers to get data for the event journals as shown below:




    It also wakes up every minute to check if it need to archive the current .bin file under each subject under:

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\

    For example the Microsoft-Windows-DNS-Client provider and Microsoft-Windows-WinInet provider will contribute data to the DNS "subject" under

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\dns\

    The current file is the .bin, but SEDService,exe will archive the filles to keep the total data under 5GB by default. So some of the work is processing the incoming data and the other work is archiving. So by default you do see a blip in cpu every 1 minute and work every 5 mins as that is when new data is flushed by the sophosed.sys driver to the bin files.

    If you turn off "Event logging" (advanced section) and "Threat case creation" in the threat protection policy linked to a computer.  The journaling will stop as a quick test to see if that helps.  Evidence of the policy will be, the enable DWORD under each of these will be 0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\CORE
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\RCA

    The above SophosEndpointDefenseServiceTrace session should also stop.

    Regards,

Unfiltered HTML