Sophos update causing CentOS 7 to hang

Question

Hi All, 
 We have a CentOS 7 installation with Sophos Endpoint software talking to SEC on out Sophos server. Every time the server has been idle for more than 12 hours, it hangs during a scheduled Sophos update. The message log's last entry was the starting of the update and nothing else until I force a restart. This happens every weekend and once when I wasn't in over a day. 
 Following are from the message log over three weekends and one from Tuesday: 
 Aug 13 03:48:28 TestSrv systemd: Started "Sophos Anti-Virus update". Aug 13 03:50:01 TestSrv systemd: Created slice user-0.slice. Aug 13 03:50:01 TestSrv systemd: Starting user-0.slice. Aug 13 03:50:01 TestSrv systemd: Started Session 3402 of user root. Aug 13 03:50:01 TestSrv systemd: Starting Session 3402 of user root. Aug 13 03:50:01 TestSrv systemd: Removed slice user-0.slice. Aug 13 03:50:01 TestSrv systemd: Stopping user-0.slice. Aug 15 10:43:31 TestSrv rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="875" x-info="http://www.rsyslog.com"] start 
 Aug 20 06:13:56 TestSrv systemd: Started "Sophos Anti-Virus update". Aug 22 14:57:50 TestSrv rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="859" x-info="http://www.rsyslog.com"] start 
 Aug 27 03:01:40 Test Srv systemd: Started "Sophos Anti-Virus update". Aug 29 09:16:00 Test Srv rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="837" x-info="http://www.rsyslog.com"] start 
 Aug 30 18:46:44 Test Srv systemd: Started "Sophos Anti-Virus update". Aug 30 18:50:01 Test Srv systemd: Created slice user-0.slice. Aug 30 18:50:01 Test Srv systemd: Starting user-0.slice. Aug 30 18:50:01 Test Srv systemd: Started Session 244 of user root. Aug 30 18:50:01 Test Srv systemd: Starting Session 244 of user root. Aug 30 18:50:01 Test Srv systemd: Removed slice user-0.slice. Aug 30 18:50:01 Test Srv systemd: Stopping user-0.slice. Aug 31 08:59:46 Test Srv rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="877" x-info="http://www.rsyslog.com"] start 
 There is no other logging to indicate what is causing the hanging. The version of Sophos for CentOS is 9 as recommended. I have uninstalled Sophos and will see if the server still hangs over the weekend. We did have an Ubuntu installation where Sophos started miss-behaving as well and had to uninstall it. We did not think too much about it at the time as we know Ubuntu isn't properly supported. We have other servers running CentOS 6.5 without issues. 
 Has anyone else had same or similar issues and can shed some light on it? 
 Edit: Additional information. Kernel version is 3.10.0-327.28.3.el7.x86_64 and Sophos SAV version is 9.12.2. It was working fine in early August, which I guess was using version 9.12.0. 
 TIA, 
 Vlad

Aditya Patel · Answer

HI AdminLicense 
 
 Sorry to hear that , We would like to know was there improvement for you server while the Sophos was uninstalled ? If so , kindly check the memory requirements and also the utilization of the system when the Sophos is installed . If you have installed the Sophos again onto the System . you may check the historical resource usage can be viewed using the "sar" utility, which should exist by default on all cPanel servers from the SYSSTAT package. The stats are collected when sysstat runs from cron (/etc/cron.d/sysstat). If crond is not running, sysstat will not be able to collect historical statistics. To view resource usage histories from sar, you must provide the path to the file that corresponds with the date of the stats. 
 To retrieve the logs you may refer the Article that would help you to troubleshoot the issue and it would determine the cause of the abnormal load of the system. 
 https://forums.cpanel.net/threads/troubleshooting-high-server-loads-on-linux-servers.319352/ 
 Hope this would help to resolve your issue. 
 Thanks and regards 
 Aditya Patel 
 Network and Security Engineer.