sophos endpoint sophos network threat protection service high memory usage

Hi Cristiano Ravarelli

Could you check under SNTP.log(%ProgramData%\Sophos\Sophos Network Threat Protection\Logs\) if you find any error or anything unusual? 

Hi Shweta,

i didn't find anything unusual at the time of the issue.

I post it below ...

It was happened between 11.45 and 12.00 today morning.

a 2020-12-21T11:45:04.943Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: ctldl.windowsupdate.com
a 2020-12-21T11:52:31.071Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: wpad.asmvigevano.it
a 2020-12-21T11:55:20.901Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: login.live.com:443
a 2020-12-21T11:55:20.906Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: login.live.com:443
a 2020-12-21T11:55:20.990Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: asmvig-proxy01.asmvigevano.it:443
a 2020-12-21T11:55:24.672Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: login.live.com:443
a 2020-12-21T11:55:24.674Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: login.live.com:443
a 2020-12-21T11:55:24.695Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: asmvig-proxy01.asmvigevano.it:443
a 2020-12-21T11:56:49.605Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: wpad.asmvigevano.it
a 2020-12-21T11:56:49.606Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: wpad.asmvigevano.it
a 2020-12-21T11:56:49.607Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: www.msftconnecttest.com
a 2020-12-21T11:56:49.797Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: www.msftconnecttest.com
a 2020-12-21T11:56:50.518Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: tile-service.weather.microsoft.com
a 2020-12-21T12:03:11.370Z [5876:9700] - Process: '\device\harddiskvolume3\program files\fing\resources\extraresources\fingagent.exe' accessed: 172.18.92.35
a 2020-12-21T12:03:11.371Z [5876:9700] - Process: '\device\harddiskvolume3\program files\fing\resources\extraresources\fingagent.exe' accessed: 172.18.92.243
a 2020-12-21T12:03:11.657Z [5876:9700] - Process: '\device\harddiskvolume3\program files\fing\resources\extraresources\fingagent.exe' accessed: 172.18.5.34
a 2020-12-21T12:13:05.412Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: wpad.asmvigevano.it

Is the problem just on this one computer or others?  Do they all have Fing desktop installed?

Hi Cristiano,

When I've had high memory usage from Sophos NTP in my environment it was generally caused by our backup software making many connections to the cloud to perform live backups. Every time our backup software made a network connection it would have to be scanned by Sophos NTP and eat up all the memory on the computer.  By creating a file/folder exclusion for our backup software we resolved the issue.  Support identified the issue by looking in this same log file to see many connections from a specific program.

I don't backup the notebook.

We work only on fileserver and I have only administrating programs on it

Hi.

Fing was installed months ago. The issue is nearly....

Yesterday my colleague has the same issue... in a light mode compared to mine, but he has to stop work for 5 minutes.

I've just tried yesterda to remove Fing. I wait this days to watch the results.

Thank you

Hi Cristiano Ravarelli

Just wanted to follow up on this thread if you are still seeing this issue? 

Hi ... the issue continues to make victims... in this weeks 3 other pc are suffering the same problem.

Every PC has different configuration and seems that isn't a correspondence between they.

so I don't understand what is the problem... I've uninstalled Fing but none has changed.

Anyone has that problem????

How about this in a rather unscientific approach but could yield results without symbols.

When you have the issue, say 500MB.  With Tamper disabled on the computer, create a full memory dump of the SophosNTPService process.  I would suggest the easiest approach is to use Process Explorer and choose "Create Full Dump" from the right click option.  With a dump file e.g dump.dmp, I would then download strings64.exe from Sysinternals - Strings - Windows Sysinternals | Microsoft Docs , then you can run:

strings64.exe -n 7 dump.dmp > ntpstrings.txt

As the contents of the memory will be data, this might point you to certain connections/addresses/IPs you can understand what the data is.

Hopefully you can then open the resultant file in ntpstrings.txt and it is helpful to understand the connections/IP, etc.. If the file is too big maybe increase the string length to say 10.

Same problem here (sporadic)!

First Level Support plays the: "please send more logs" game. No solution to be seen. PCs with more than 8GB Ram and SSD can recover, but other with 4GB+HDD die in swapping virtual Ram.