Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 14 subscribers
  • Views 21980 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issues with Sophos on Windows RDS boxes - CPU 100% !

Randy Wright

We are running into issues throughout our company with Windows 2008 & 2012 with Sophos installed.

The CPU utilization spikes to 100% at different times, seemingly with no pattern.  

We have configured the updating policy to only update the program at 4:00AM every Sunday and have add all the remote desktop servers to that policy.

No other policies have been modified.

It seems to happen with our RDS boxes that have 10-15 users logged in.  We have another lightly used RDS box that we have not observed the problem on.

The only solution is to cancel the Sophos services that are running and disabling them.  If we don't disable them, after a very short time the CPU utilization spikes to 100%

They are VMware virtual machines and are running on separate ESXi hosts around the company.  No other server virtual machines are affected by this, only RDS boxes.

I have a ticket opened with Sophos support, but there has been no conclusion yet.

Hoping someone else has run into this.  Very frustrating to have production affecting issues from a system that is meant to protect us.



This thread was automatically locked due to age.
  • 0

    Hello Randy Wright,

    seemingly with no pattern
    high CPU usage by SavService.exe is normally in response to a high rate of file open/close/rename activity, likely there is a pattern. Monitoring might help to identify the problem but will worsen performance further - but it might be necessary if really no pattern can be found. Apart from the access rate certain files can cause high load - Java archives are infamous.
    Maybe this should have been my first question - does this spikes to 100% cause problems, and where? This might seem a preposterous question but coming from a mainframe background 100% were not necessarily an indicator of a problem (whether on the host or the guests).

    Christian

     

  • 0 in reply to QC

    Thanks for the reply.  It brings all the other user sessions to a complete halt on the RDS box with the Sophos service using 99-100% CPU.  The console session is very slow to respond as well.  Regarding file opens and closes we are using a SQL based ERP system that uses a local set of EXE's.  Typically, the users have the EXE and accompanying DLL files and really that's it on the affected RDS boxes.

    Stranger still is our other file/printer sharing servers have by far more file activity, and we have not experienced the high CPU utilization on them with Sophos installed.

    It seems that the RDS boxes with 10-15 users logged in will trigger the high utilization in Sophos for some reason.  We have seen the RDS boxes around the company show the same symptoms withing 15-20 minutes of each other, creating a lot of down-time until we shut down/disable the Sophos services.

    That made me wonder if it was an auto-scan or update occurring.

    As a test, I have set an exclusion policy to disregard the ERP EXE folder, just in case there is a common tie there.

    Will see!

  • 0 in reply to Randy Wright

    Hello Randy Wright,

    withing 15-20 minutes of each other
    either users do the same things at the same time or it percolates through the (ESXi) infrastructure ...

    auto-scan or update occurring
    Sophos doesn't perform auto-scans (well, it dispatches partial low-priority scans in response to certain detections but this shouldn't cause any performance problems).     Protection updates invalidate AFAIK the cache of files scanned - this might cause excess activity under certain circumstances. Check the timestamps of the Anti-Virus Install logs in %windir%\Temp whether they correlate with the spikes.

    an exclusion policy to disregard the ERP EXE folder
    maybe it's possible to use Process Exclusions - these exclude files that are accessed by a certain process 

    Christian

  • 0 in reply to QC

    Just discovered something very interesting.  In the Sophos Cloud admin, we globally excluded C:\amtech, which showed as "File or Folder" it the cloud console.

    On the server, it showed C:\Amtech as a file, not file or folder.

    Modified the exclusion to C:\Amtech\ and upon updating the protected server shows that as a folder exclusion.

    All of our affected RDS boxes have a local folder named Amtech for our ERP system that the attached sessions use.

    Started Sophos on one of the affected servers and will monitor usage.

    Wondering if that could have caused the problem.  Odd how the console shows "file or folder" and the client shows "file" only without the ending "\" being included.

  • 0 in reply to Randy Wright

    Hello Randy Wright,

    the console shows "file or folder"
    can't say why the Central console doesn't make this distinction, SEC does (and checks if the path is correct for the intended purpose). As your case shows it would definitely be helpful.

    Christian

Unfiltered HTML