Sophos will cause performance issue (slow response) on Windows Server 2019

Hello,

 

I have the following scenario:

- I have created a new virtual machine, which has Windows Server 2019 installed and has NO Sophos yet, all works fine and the server's performance is normal (CPU usage is between 15% and 25% most of the time and e.g. IE opens within 1 to 2 seconds)

- I installed Sophos (10.8.4.227 EV 3.74.1) on the server, and the server started to experience a performance issue and slow response with high CPU (between 80% and 100%) when I only run simple applications (e.g. when I open IE or Explorer, it takes up to 5 or 6 seconds to open the window, and the CPU is bouncing at 100% for few seconds and still hight until I do nothing on the server for few seconds)

- As I mentioned above, If the server is idle for a few seconds, the CPU will drop down to around 20%, but once I open IE again it will jump up to around 100% and IE takes a long time to open.

- If I then uninstall Sophos, the problem will still present, even all Sophos components are removed (not sure if there is something still running in the background or if the impact of Sophos on another component in Windows is still affected)

 - Also, I have noticed that the "Sophos System Protection" is not being installed, not sure if this is related to Windows Server 2019, or to Sophos version 10.8.4.227, or is it intended by Sophos to have this component included in another one !!

Does anyone have the same issue with Sophos and Windows Server 2019? are there any recommendations? or should I wait for a new release of Sophos?

The same Sophos policies and configs are applied on Windows Server 2016 servers, and they have no performance issues at all !!

 

Our Sophos is managed by SEC 5.5.0

 

Please let me know if you need more information.

  • Hello Jameel,

    easy part first - Sophos System Protection has been removed with 10.8.4.3.

    all Sophos components are removed
    and rebooted afterwards? I'm not aware that there could be leftovers. Can you identify the process or processes consuming the CPU?

    Christian

  • In reply to QC:

    Hello Christian,

     

    Thanks for being always there for help.

     

    Yes, I rebooted the server many times after removing Sophos.

    Actually, it is not easy to limit the processes which consuming the CPU, but here are some which I could notice after monitoring the Task Manager:

    - System Interrupt

    - Internet Explorer (or Windows Explorer) itself when I open it until it is opened (which might be normal)

    - Services and Controller app

    - Windows host process (Rundll32)

    - Service Host: Local System (including 18 items)

    - Task Manager itself (which might be normal)

     

    To be honest, all the above-mentioned processes might be normal to have slightly high CPU consuming, but this performance issue occurred only after I installed Sophos the first time, so when the server was newly created and had no Sophos before, there was no performance issue at all !!

  • In reply to Jameel Alsarraj:

    Hello Jameel,

    System Interrupts should normally not stand out. And they shouldn't spike if you start an application like IE. A possible cause are driver issues (as this is a VM the real hardware is not the prime suspect but who knows). 2019 is already supported by Endpoint for some time and I haven't heard of performance issues - especially ones that persist after uninstalling. We're not yet using 2019 though so this is not first-hand experience.
    Is this your first 2019 VM? Could you perhaps try to reproduce the problem (i.e. performance ok for a day or so, install Sophos - issues, uninstall - issues persist) with another VM?

    Christian

  • In reply to QC:

    Hello Christian,

    Actually this is the second VM on which we are testing Sophos with Windows Server 2019, and both machines behaved the same !!

    But here I have to mention, that both VMs were created from the same VM Template in VMware, so they are identical in drivers, settings, .. etc.

  • In reply to Jameel Alsarraj:

    Hello Jameel,

    if the issue is reproducible and presumably connected with Sophos you should open a case with Support. Especially as it seems the machines are not returned to their previous state after uninstall.

    Christian

  • In reply to QC:

    Hello Christian,

     

    I will do, thank you anyway for your help.

  • In reply to Jameel Alsarraj:

    Hi Jameel,

    You can also try to create the batch file for uninstall using the article https://community.sophos.com/kb/en-us/122126

  • In reply to SAJ:

    Hi Saj,

     

    The article is only for Sophos Central Endpoint and Central Server, I have a Sophos Endpoint Protection which is managed by SEC.

    for example, I cannot find the command uninstallcli.exe (even though I can uninstall from Control Panel/Programs and Features), but I am not sure if I can go further with this article !!

  • In reply to Jameel Alsarraj:

    Hello Jameel,

    you're right, doesn't really fit. RMS is missing and the product codes might or might not be "complete". 

    I am not sure if I can go further with this article
    You've missed the following line under What to do:
    • To gather the uninstall strings, run the appropriate commands that can be found in the KBA 109668 (my note: AKA Sophos Endpoint Security and Control: How to uninstall using a command line or batch file)

    Christian

  • In reply to QC:

    Hi Christian,

    I gathered the uninstall strings after I uninstalled Sophos and the result was: End of search: 0 match(es) found.

    which means - as you mentioned in one reply already - that there are no leftovers from Sophos after it is been uninstalled.

  • In reply to Jameel Alsarraj:

    Hi Jameel,

     Can you please share the exact version of Windows 2019. Is that standard/Datacenter/core?

     

     

  • In reply to SAJ:

    Hi Saj,

     

    It is Windows Server 2019 Standard version 1809 OS build 17763.805

  • In reply to Jameel Alsarraj:

    HI Jameel,

     

    Sophos system protection component still failing to install after the uninstall and reinstall?

     

  • In reply to SAJ:

    Hi Saj,

    As Christian earlier mentioned, Sophos System Protection has been removed since the version 10.8.4.3

    I am installing Sophos version 10.8.4.4 (10.8.4.227 VE 3.77.1)

  • In reply to Jameel Alsarraj:

    Hi Jameel,

     

    Thank you, To analyze performance issues, we have to conduct a remote session with technical support. I would suggest opening anew case for this with Sophos Technical support.

    You can create a case using the link here.