Sophos Endpoint Defence Service High CPU + Unable to update

Hi everyone,

I received a ticket from a user reporting a decrease in the performance of his PC. Checking in task manager I found out that the “Sophos Endpoint Defence Service” is constantly using about 20% of CPU.

Searching for troubleshooting I found out that the “Endpoint Agent” client has not updated in the last month and the button for manually update doesn’t work (the latest updates date back to 03/12/2024 and today that I’m writing this post is 08/01/2025).

After that I tried to uninstall the client witch Sophos Central (everything is working, I have access to the central, the password with this client is working and gave me admin access) but I can’t disable the Tamper Protection because I can’t select the “Override Sophos Central Policy for up to 4 hours to troubleshoot”.

On the central side, except for the “last Sophos Central activity” everything is installed and working fine.

What should I do? Are these two problematics related somehow?

Windows 10 Pro          19045

Core Agent                  2024.2.4.1.0

Sophos Intercept X      2024.2.4.1.0

 

Thank you in advance,

Giorgio

Parents
  • There are 2 with a similar name in Task Manager Processes view:

    The top is SEDService.exe, the second is SSPService.exe. Might be worth just confirming the process.

    SEDService.exe subscribes to a few trace providers to get data for the event journals as shown below:




    It also wakes up every minute to check if it need to archive the current .bin file under each subject under:

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\

    For example the Microsoft-Windows-DNS-Client provider and Microsoft-Windows-WinInet provider will contribute data to the DNS "subject" under

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\dns\

    The current file is the .bin, but SEDService,exe will archive the filles to keep the total data under 5GB by default. So some of the work is processing the incoming data and the other work is archiving. So by default you do see a blip in cpu every 1 minute and work every 5 mins as that is when new data is flushed by the sophosed.sys driver to the bin files.

    If you turn off "Event logging" (advanced section) and "Threat case creation" in the threat protection policy linked to a computer.  The journaling will stop as a quick test to see if that helps.  Evidence of the policy will be, the enable DWORD under each of these will be 0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\CORE
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\RCA

    The above SophosEndpointDefenseServiceTrace session should also stop.

    Regards,

Reply
  • There are 2 with a similar name in Task Manager Processes view:

    The top is SEDService.exe, the second is SSPService.exe. Might be worth just confirming the process.

    SEDService.exe subscribes to a few trace providers to get data for the event journals as shown below:




    It also wakes up every minute to check if it need to archive the current .bin file under each subject under:

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\

    For example the Microsoft-Windows-DNS-Client provider and Microsoft-Windows-WinInet provider will contribute data to the DNS "subject" under

    C:\ProgramData\Sophos\Endpoint Defense\Data\Event Journals\SophosED\dns\

    The current file is the .bin, but SEDService,exe will archive the filles to keep the total data under 5GB by default. So some of the work is processing the incoming data and the other work is archiving. So by default you do see a blip in cpu every 1 minute and work every 5 mins as that is when new data is flushed by the sophosed.sys driver to the bin files.

    If you turn off "Event logging" (advanced section) and "Threat case creation" in the threat protection policy linked to a computer.  The journaling will stop as a quick test to see if that helps.  Evidence of the policy will be, the enable DWORD under each of these will be 0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\CORE
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\RCA

    The above SophosEndpointDefenseServiceTrace session should also stop.

    Regards,

Children
No Data