This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Intercept X 2.0 impacting Performance - slow?

On a new software build of windows 10 on a T450 Lenovo, we found that at the end we installed Sophos Endpoint Intercept X 2.0 and it significantly slowed down the computer.  All aspects of the computer became slow.  On first bootup, connecting the Wifi - slow.  On login, the CPU would pin at 100% for long periods of time with high memory usage.  All applications would be slow to open, printing would be very slow. This is a new laptop i5, 8 GB RAM, 256 SSD.

We would remove the Intercept X and the computer would return to normal operation.  Fast bootup, fast login, apps, etc...

Now for this customer, then use Trend Micro as their primary AV.  We have Sophos Intercept X added on for the extra protection. We did not have issues previously until the Intercept X Version went up to 2.0.  Has anyone else noticed a large performance hit with Intercept X 2.0?




[locked by: SupportFlo at 11:42 PM (GMT -7) on 12 Mar 2019]
Parents Reply Children
  • this is what  the teach support wrote to me

     

    Hello Sam, There aren't really any specific configurations that can be used to speed up a booting process..  There are additional drivers and such that must be loaded and additional services that must start when our Software is installed, so an increase in boot time is definitely expected behaviour.  Of course, please feel free to to test by disabling the Sophos services to test if any particular service helps with the boot speed, though there are no settings to be toggled that will speed this up, unfortunately.  Regards,

  • Clearly it's going to be slower but it shouldn't be that slow.  I would expect you'd be asked to provide either a:

    In addition to that an SDU zip so they can confirm the configuration is as expected.

    I'd be happy to take a look but this isn't the sort of data you want to be making available on a public forum.

    Beyond that, narrowing down components responsible, either by disabling options in the policy - most likely threat protection or by disabling drivers/services would be another approach.


    Regards,
    Jak

  • In our case, this particular client who we are piloting InterceptX alongside Bitdefender was experiencing boot to log in times of 6-9mins vs 1min previously on a Surface Pro 4. Totally unacceptable.  This was not the case prior to 2.X and we have had great success running InterceptX 1.X alongside Bitdefender with no delay in boot and login times.

    I have logged a support case with Sophos, but after uninstalling InterceptX 2.X, the machine was back to normal speed.

    Still waiting for a resolution.

  • We had on prem Sophos , just moved to Sophos Central in January , so I don’t have any experience with prior version of Intercept X. I just spoke to our Sophos SE. He is looking into it. I will give you an update if I hear back from the SE. I agree with Jak, they should have asked me to upload some logs.

    I disabled defender because I saw few discussion on this forum about defender might cause issue with Sophos AV.

    By the way intercept X might also be reason IE11 crashing in WIN 10. One of my coworker working with Microsoft on IE crashing on WIN 10, but I think they will end up pointing to Intercept X.

  • Have another client who is also experiencing the same IE11 random crashing :( 

    I also have the case escalated, so will provide feedback once I hear back.

  • Thanks Jak for pointing out the thread. I'll check it out

  • Did some more testing for boot times and opening programs (simple one like Task Manager)

     

    Brand new Lenovo T450 i5, 8 GB RAM 256 SSD

    Fresh build with no anti-virus: Boot time is 30 seconds. Task manager opens within 1 second. Nice and Fast.

    Sophos End Point Core Agent 2.0.2 Advanced only: Boot time is 1 min 27 seconds. Task manager opens in 6 seconds. Slower... but still ok.

    Sophos End Point Core Agent 2.0.2 Intercept X 2.0.1 only: Boot time is 2 mins and 50 seconds. Task manager opens in 15-20 seconds (varies). This is too slow to function for a user.

     

    This is not acceptable for an anti virus to reduce the speed of a computer back to pre-SSD speeds.  We did not have these issues as far as I was aware Pre Version 2.

  • Hi Stephen,

    Your testing is exactly what we are finding - in particular, boot time and as you mentioned, Task Manager taking 15 seconds to load. We also didn't have this issue prior to version 2.X.

    I have a case open with Sophos that has been escalated but haven't had much response back with regards to a fix.  I actually had to uninstall InterceptX 2.X so the machines can function again.

    Our client is also using OneDrive Files on Demand on Windows 10 and CPU consistently sits at 20% just for that process when InterceptX is running. 

    Anyone know if it's possible to revert to v1.X and not be forced to upgrade until these issues are resolved?

  • What policy options have you disabled to see what helps?

    Other than analysing a performance trace I would start with the following on a slow computer having disabled Tamper Protection:

    1. Rename 
    C:\Windows\System32\hmpalert.dll
    and
    C:\Windows\SysWOW64\hmpalert.dll
    to something like hmpalert.dll.rename and reboot, does it help speed things up?

    This event log might help: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx show any change.
     
    If the above helps, then we know it is exploit mitigation.  We can then start to disable individual features withing Exploit mitigation.

    2.  Assuming the above doesn't help.  Maybe disable Cryptoguard in the threat protection policy.

    3.  Rename the HMPA driver "hmpalert.sys" under:
    \windows\system32\drivers\ to hmpalert.sys.rename and reboot.

    if the above 3 options do not help, then HMPA has been pretty much ruled out. 

    Can we start there before moving on to Sophos Anti-Virus?

    Regards,
    Jak