The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
In Task Manager the 'ManagementAgentNT.exe' process was found to be consuming 100% CPU usage.
First seen in Sophos Endpoint Security and Control 9.7
The cause in one case was specific to the module 'SUMAdapter.dll' being loaded by the ManagementAgentNT.exe process.
See the 'Technical information' section below for more details on how you can establish which adapter might be responsible for the CPU usage on your computer. Note: The 'What To Do' section below only covers the specific case of the SUMAdapter.dll being responsible.
Once you have concluded the problem is with the SUMAdapter.dll, perform the following steps:
C:\Documents and Settings\All Users\Application Data\Sophos\Remote Management System\3\Agent\AdapterStorage\SDDM\
C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SDDM\
The 'Sophos Agent' service (ManagementAgentNT.exe) is part of the Remote Management System (RMS) application and is responsible for communicating with the Sophos applications on a managed endpoint. These applications include Sophos Anti-Virus, Sophos Client Firewall, Sophos Update Manager, etc. Each of the managed applications provides an adapter DLL that is loaded into the ManagementAgentNT.exe process in order for RMS to manage the application.
Each of the managed application register their adapters by adding registry keys under:
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Adapters\
In the example of Sophos update manager application, it creates the key: SDDM, within it is the DLLPath value which references the SUMAdapter.dll location on disk. As the keys are created or removed, the adapter is loaded or unloaded from the Sophos Agent. You can see the DLLs being loaded or unloaded by the ManagementAgentNT.exe process with a tool such as Process Explorer.
To establish which adapter maybe at fault, you can backup the above 'Adapters' registry key, and then delete the adapter keys one at a time until the CPU is returned to normal levels. Add them back in one at a time to prove which adapter is causing the problem. Note: a problematic adapter may not be able to unload itself so it may be worth restarting the Sophos Agent service to be sure the adapter is not loaded after deleting the key.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.