This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

sophos endpoint sophos network threat protection service high memory usage

Hello Everybody,

I had 2 times this issue with SNTP on Sophos Endpoint Agent

During this, my Notebook won't respond and i have to reboot it to stop this issue. Every program was critically compromised and i had to kill every task to make the notebook able to reboot.

Anyone has a suggestion for this problem???

Thank You so much.

Cristiano



This thread was automatically locked due to age.
Parents
  • Hi

    Could you check under SNTP.log(%ProgramData%\Sophos\Sophos Network Threat Protection\Logs\) if you find any error or anything unusual? 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Hi Shweta,

    i didn't find anything unusual at the time of the issue.

    I post it below ...

    It was happened between 11.45 and 12.00 today morning.

    a 2020-12-21T11:45:04.943Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: ctldl.windowsupdate.com
    a 2020-12-21T11:52:31.071Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: wpad.asmvigevano.it
    a 2020-12-21T11:55:20.901Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: login.live.com:443
    a 2020-12-21T11:55:20.906Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: login.live.com:443
    a 2020-12-21T11:55:20.990Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: asmvig-proxy01.asmvigevano.it:443
    a 2020-12-21T11:55:24.672Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: login.live.com:443
    a 2020-12-21T11:55:24.674Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: login.live.com:443
    a 2020-12-21T11:55:24.695Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: asmvig-proxy01.asmvigevano.it:443
    a 2020-12-21T11:56:49.605Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: wpad.asmvigevano.it
    a 2020-12-21T11:56:49.606Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: wpad.asmvigevano.it
    a 2020-12-21T11:56:49.607Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: www.msftconnecttest.com
    a 2020-12-21T11:56:49.797Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: www.msftconnecttest.com
    a 2020-12-21T11:56:50.518Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: tile-service.weather.microsoft.com
    a 2020-12-21T12:03:11.370Z [5876:9700] - Process: '\device\harddiskvolume3\program files\fing\resources\extraresources\fingagent.exe' accessed: 172.18.92.35
    a 2020-12-21T12:03:11.371Z [5876:9700] - Process: '\device\harddiskvolume3\program files\fing\resources\extraresources\fingagent.exe' accessed: 172.18.92.243
    a 2020-12-21T12:03:11.657Z [5876:9700] - Process: '\device\harddiskvolume3\program files\fing\resources\extraresources\fingagent.exe' accessed: 172.18.5.34
    a 2020-12-21T12:13:05.412Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: wpad.asmvigevano.it

Reply
  • Hi Shweta,

    i didn't find anything unusual at the time of the issue.

    I post it below ...

    It was happened between 11.45 and 12.00 today morning.

    a 2020-12-21T11:45:04.943Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: ctldl.windowsupdate.com
    a 2020-12-21T11:52:31.071Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: wpad.asmvigevano.it
    a 2020-12-21T11:55:20.901Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: login.live.com:443
    a 2020-12-21T11:55:20.906Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: login.live.com:443
    a 2020-12-21T11:55:20.990Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: asmvig-proxy01.asmvigevano.it:443
    a 2020-12-21T11:55:24.672Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: login.live.com:443
    a 2020-12-21T11:55:24.674Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: login.live.com:443
    a 2020-12-21T11:55:24.695Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: asmvig-proxy01.asmvigevano.it:443
    a 2020-12-21T11:56:49.605Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: wpad.asmvigevano.it
    a 2020-12-21T11:56:49.606Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: wpad.asmvigevano.it
    a 2020-12-21T11:56:49.607Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: www.msftconnecttest.com
    a 2020-12-21T11:56:49.797Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: www.msftconnecttest.com
    a 2020-12-21T11:56:50.518Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: tile-service.weather.microsoft.com
    a 2020-12-21T12:03:11.370Z [5876:9700] - Process: '\device\harddiskvolume3\program files\fing\resources\extraresources\fingagent.exe' accessed: 172.18.92.35
    a 2020-12-21T12:03:11.371Z [5876:9700] - Process: '\device\harddiskvolume3\program files\fing\resources\extraresources\fingagent.exe' accessed: 172.18.92.243
    a 2020-12-21T12:03:11.657Z [5876:9700] - Process: '\device\harddiskvolume3\program files\fing\resources\extraresources\fingagent.exe' accessed: 172.18.5.34
    a 2020-12-21T12:13:05.412Z [5876:9700] - Process: '\device\harddiskvolume3\windows\system32\svchost.exe' accessed: wpad.asmvigevano.it

Children
  • Hi Cristiano,

    When I've had high memory usage from Sophos NTP in my environment it was generally caused by our backup software making many connections to the cloud to perform live backups. Every time our backup software made a network connection it would have to be scanned by Sophos NTP and eat up all the memory on the computer.  By creating a file/folder exclusion for our backup software we resolved the issue.  Support identified the issue by looking in this same log file to see many connections from a specific program.

  • I don't backup the notebook.

    We work only on fileserver and I have only administrating programs on it