sophos endpoint sophos network threat protection service high memory usage

Hello Everybody,

I had 2 times this issue with SNTP on Sophos Endpoint Agent

During this, my Notebook won't respond and i have to reboot it to stop this issue. Every program was critically compromised and i had to kill every task to make the notebook able to reboot.

Anyone has a suggestion for this problem???

Thank You so much.

Cristiano

  • Hi

    Could you check under SNTP.log(%ProgramData%\Sophos\Sophos Network Threat Protection\Logs\) if you find any error or anything unusual? 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

  • Hi Shweta,

    i didn't find anything unusual at the time of the issue.

    I post it below ...

    It was happened between 11.45 and 12.00 today morning.

    a 2020-12-21T11:45:04.943Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: ctldl.windowsupdate.com
    a 2020-12-21T11:52:31.071Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: wpad.asmvigevano.it
    a 2020-12-21T11:55:20.901Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: login.live.com:443
    a 2020-12-21T11:55:20.906Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: login.live.com:443
    a 2020-12-21T11:55:20.990Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: asmvig-proxy01.asmvigevano.it:443
    a 2020-12-21T11:55:24.672Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: login.live.com:443
    a 2020-12-21T11:55:24.674Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: login.live.com:443
    a 2020-12-21T11:55:24.695Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: asmvig-proxy01.asmvigevano.it:443
    a 2020-12-21T11:56:49.605Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: wpad.asmvigevano.it
    a 2020-12-21T11:56:49.606Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: wpad.asmvigevano.it
    a 2020-12-21T11:56:49.607Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: www.msftconnecttest.com
    a 2020-12-21T11:56:49.797Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: www.msftconnecttest.com
    a 2020-12-21T11:56:50.518Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: tile-service.weather.microsoft.com
    a 2020-12-21T12:03:11.370Z [5876:9700] - Process: '\device\harddiskvolume3\program files\fing\resources\extraresources\fingagent.exe' accessed: 172.18.92.35
    a 2020-12-21T12:03:11.371Z [5876:9700] - Process: '\device\harddiskvolume3\program files\fing\resources\extraresources\fingagent.exe' accessed: 172.18.92.243
    a 2020-12-21T12:03:11.657Z [5876:9700] - Process: '\device\harddiskvolume3\program files\fing\resources\extraresources\fingagent.exe' accessed: 172.18.5.34
    a 2020-12-21T12:13:05.412Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: wpad.asmvigevano.it

  • Is the problem just on this one computer or others?  Do they all have Fing desktop installed?

  • Hi Cristiano,

    When I've had high memory usage from Sophos NTP in my environment it was generally caused by our backup software making many connections to the cloud to perform live backups. Every time our backup software made a network connection it would have to be scanned by Sophos NTP and eat up all the memory on the computer.  By creating a file/folder exclusion for our backup software we resolved the issue.  Support identified the issue by looking in this same log file to see many connections from a specific program.

  • I don't backup the notebook.

    We work only on fileserver and I have only administrating programs on it

  • Hi.

    Fing was installed months ago. The issue is nearly....

    Yesterday my colleague has the same issue... in a light mode compared to mine, but he has to stop work for 5 minutes.

    I've just tried yesterda to remove Fing. I wait this days to watch the results.

    Thank you

  • Hi 

    Just wanted to follow up on this thread if you are still seeing this issue? 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

  • Hi ... the issue continues to make victims... in this weeks 3 other pc are suffering the same problem.

    Every PC has different configuration and seems that isn't a correspondence between they.

    so I don't understand what is the problem... I've uninstalled Fing but none has changed.

    Anyone has that problem????

  • How about this in a rather unscientific approach but could yield results without symbols.

    When you have the issue, say 500MB.  With Tamper disabled on the computer, create a full memory dump of the SophosNTPService process.  I would suggest the easiest approach is to use Process Explorer and choose "Create Full Dump" from the right click option.  With a dump file e.g dump.dmp, I would then download strings64.exe from Sysinternals - Strings - Windows Sysinternals | Microsoft Docs , then you can run:

    strings64.exe -n 7 dump.dmp > ntpstrings.txt

    As the contents of the memory will be data, this might point you to certain connections/addresses/IPs you can understand what the data is.

    Hopefully you can then open the resultant file in ntpstrings.txt and it is helpful to understand the connections/IP, etc.. If the file is too big maybe increase the string length to say 10.

  • Same problem here (sporadic)!

    First Level Support plays the: "please send more logs" game. No solution to be seen. PCs with more than 8GB Ram and SSD can recover, but other with 4GB+HDD die in swapping virtual Ram.