Possible Memory Problem after Windows 10 1903 Update

 

 

Currently have Sophos Central with Sophos Endpoint running on several machines here, i was the first to update to the latest Windows 10 1903 Update and noticed after the machine sitting idle for a while that the above service is consuming a lot of RAM.

 

Any solutions to this?

  • In reply to Norm Almond:

    Threat Case Creation (I think it used to be called RCA) is used to provide the detailed analysis when a threat is detected so it's not a security feature as such, it's more of a enhanced reporting feature.

    Regards,
    Jak

  • Hi guys, just a quick update

    Speak to Sophos tech support - they have issued me a patch to try to see if that fixes the problem!

    if it does they are planning to issue it as an update on the 26th June!


  • Just going to leave this here as it's what I was searching and wasn't finding anything: SSPService.exe memory leak in Windows 1903.

    Hopefully Sophos does push out that update soon.

  • Hi Guys!

    So i've been running the patch for a couple days now and Sophos is indeed now behaving itself!

     

    Sophs Tech say they will be releasing the patch on the 26th June (ish)!

  • In reply to Gareth Johnstone:

    Our observation is that with this patch SSPService memory consumption is greater on launch and increases steadily but very slowly over time.  So far we have not seen any runaway condition that has brought a system down so in that sense it does appear to be a fix.

    The steady increase over time remains a minor concern but at observed levels is not likely to be a problem on end user workstations.

     

     

  • In reply to Jolyon Xerxes:

    hmm, my machine has been on for about 72 hours and havent noticed any issues with the memory consumption 

  • In reply to Jolyon Xerxes:

    I've been working with support on this issue for over a week now; when I say work, I mean once a day they email me asking me to send Procdump and Procmon log files. I've found that after booting up, my system runs well for about 24 hours, the SSP process behaves and stays under 300 MB, but suddenly it will start to slow climb in memory usage and within the next 24 hours will consume most of my RAM, I have 32 GB of RAM.

    When I spoke to support 2 days ago, they were going to look into the status of the patch and call me back. I was hoping to install the patch to see if it resolves my issue. I haven't heard back.

  • In reply to MR eSecurity:

    I am also experiencing this behaviour.  Machine is OK for about 24 hours then memory usage climbs. It then fills up the paging file and basically hoses the system requiring a reboot.

    From System Event Log:

    Windows successfully diagnosed a low virtual memory condition. The following programs consumed the most virtual memory: SSPService.exe (2984) consumed 60697669632 bytes

     

    That's 60 GB LOL.  Greedy little thing it is.

  • In reply to Scott Wichall:

    On Friday, 06/21/2019, I was provided with a patch. I applied the patch on Friday and my system has been running without any issues since (today is Monday). In the email from support where they provided the patch, they said something I don't quite understand, but then stated the patch will be release in GA on 06/26/2019. I've confirmed with support that the issues appears to be resolved.

    Support wrote:

    "We have identified an issue where ETW is no longer dropping events when the thread is deadlocked on Windows 10 1903.  ETW will now continue to save all events for processing until the thread consumes them or it runs out of memory.  I have confirmed that once the thread is released, it will process the gigabytes of ETW events in under 30 seconds."

    "If this confirms to resolve the issue we are planning to implement this in our Core Agent 2.4.0 release which is planned to start on the 26th June"

  • In reply to MR eSecurity:

    Yeah, it's not clear if they have fixed it to drop events when deadlocked or fixed whatever allows for the deadlock in the first place.

    Still, it does seem to have fixed the runaway memory consumption so ... good.

  • Hello!!

     

    Having the same problem here. Where can I get the patch?

     

    Thanks in advance!!

  • In reply to eu be:

    There will be an update to fix this today, the patch can be requested with Sophos.

     

    BTW: The patch does fix the problem.

     

  • In reply to Norm Almond:

    Can anyone confirm that this has been released?  What component versions should we be looking for?

  • In reply to Jolyon Xerxes:

    Hello Jolyon Xerxes,

    please note that this is for Central. According to the Release Notes Sophos Endpoint Defense has been upgraded to 2.1.2.26.

    Christian 

  • Still having the issue, according to central.sophos.com everything is up to date.

    Machine was using nearly 8GB for SSPService.exe, although after running the Sophos diagnostic utility the memory utilisation dropped to around 4GB (Which is still quite frankly insane)

    Do I need to raise a ticket with Sophos now about this?