Data Content Records taking up disk space

Hello,

Would I be right in saying this in Sophos Central managed rather than Sophos Enterprise Console (on-premise) management?

It looks like: Sophos Known Issues list

There must be a lot of changing files on the server to generate such large files.

In Core Agent 2023.2, they are purged once you get to that version.

They do impact non-paged pool (I suspect if you look in Task manager the non-paged pool is quite high) as mentioned.

The files could be removed if you are running out of memory, you can for example:

Stop the following services:

- "Sophos File Scanner Service" (net stop "Sophos File Scanner Service")
- SntpService (net stop SntpService)
- sntp (net stop sntp)
- "Sophos System Protection Service" (net stop "Sophos System Protection Service")

- Unload Sophos Endpoint Defense driver: (fltmc.exe unload "sophos endpoint defense")

- Delete the contents of "C:\ProgramData\Sophos\Endpoint Defense\Data\Data Content Records\"

Reboot.

They will be re-created, it will be interesting to know how quickly they grow from being cleared. It maybe that at the growth rate it will be fine until 2023.2 is on the server. At that point, the computer will need to restart once to get the new version of sophosed.sys loaded. Then the next time it boots with the new software it will start to purge the data.

If you can think of any areas on disk where there are a lot of files changes happening that is likely the cause. You mention they are web servers? Do they receive a lot of file or generate a lot of files? Maybe temp ones as part of operation? File/path exclusions for such locations would prevent the growth in the dat files you mention.

I hope this information helps.

Kind Regards.

Thanks for this, still an issue for us but at least we have a work around for it.

Just to give some indication of the impact, 3GB files means around 10GB of non-Paged memory used by Sophos which is bit pants really, on other server i am seeing similar 1:3 relationship of file size to RAM usage.

if you want to see this yoru self, I would suggest seeking out a copy of poolman which is a command line tool to show actual RAM usage rather then the nonsense in taskmanager.

Not managed to track down what activity causes this, suppose we could just exclude all the drives..... what would be helpful is to have some visibiity inside the agent or elsewhere of what is high activity there is on a server, Sophos does seem to be a dumbed down product in respect of information it reveals.

Thanks for this, still an issue for us but at least we have a work around for it.

Just to give some indication of the impact, 3GB files means around 10GB of non-Paged memory used by Sophos which is bit pants really, on other server i am seeing similar 1:3 relationship of file size to RAM usage.

if you want to see this yoru self, I would suggest seeking out a copy of poolman which is a command line tool to show actual RAM usage rather then the nonsense in taskmanager.

Not managed to track down what activity causes this, suppose we could just exclude all the drives..... what would be helpful is to have some visibiity inside the agent or elsewhere of what is high activity there is on a server, Sophos does seem to be a dumbed down product in respect of information it reveals.