Sophos Endpoint Intercept X 2.0 impacting Performance - slow?

On a new software build of windows 10 on a T450 Lenovo, we found that at the end we installed Sophos Endpoint Intercept X 2.0 and it significantly slowed down the computer.  All aspects of the computer became slow.  On first bootup, connecting the Wifi - slow.  On login, the CPU would pin at 100% for long periods of time with high memory usage.  All applications would be slow to open, printing would be very slow. This is a new laptop i5, 8 GB RAM, 256 SSD.

We would remove the Intercept X and the computer would return to normal operation.  Fast bootup, fast login, apps, etc...

Now for this customer, then use Trend Micro as their primary AV.  We have Sophos Intercept X added on for the extra protection. We did not have issues previously until the Intercept X Version went up to 2.0.  Has anyone else noticed a large performance hit with Intercept X 2.0?

  • In reply to Stephen Ashcroft:

    Hi Stephen,

    Your testing is exactly what we are finding - in particular, boot time and as you mentioned, Task Manager taking 15 seconds to load. We also didn't have this issue prior to version 2.X.

    I have a case open with Sophos that has been escalated but haven't had much response back with regards to a fix.  I actually had to uninstall InterceptX 2.X so the machines can function again.

    Our client is also using OneDrive Files on Demand on Windows 10 and CPU consistently sits at 20% just for that process when InterceptX is running. 

    Anyone know if it's possible to revert to v1.X and not be forced to upgrade until these issues are resolved?

  • In reply to George Khalil:

    What policy options have you disabled to see what helps?

    Other than analysing a performance trace I would start with the following on a slow computer having disabled Tamper Protection:

    1. Rename 
    C:\Windows\System32\hmpalert.dll
    and
    C:\Windows\SysWOW64\hmpalert.dll
    to something like hmpalert.dll.rename and reboot, does it help speed things up?

    This event log might help: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx show any change.
     
    If the above helps, then we know it is exploit mitigation.  We can then start to disable individual features withing Exploit mitigation.

    2.  Assuming the above doesn't help.  Maybe disable Cryptoguard in the threat protection policy.

    3.  Rename the HMPA driver "hmpalert.sys" under:
    \windows\system32\drivers\ to hmpalert.sys.rename and reboot.

    if the above 3 options do not help, then HMPA has been pretty much ruled out. 

    Can we start there before moving on to Sophos Anti-Virus?

    Regards,
    Jak

  • Hello, 

     

    We, as well as our clients are experiencing exactly the same issue with Intercept X, regardless of hardware configuration. Most of our customers run BitDefender Antivirus through SolarWinds Remote Monitoring and Management (earlier GFI Max). We've configured the BitDefender software to not use behavioral scanning, so that it doesn't crash with anti-crypto software like for example Intercept X. 

     

    Generally, we've always had reports of slowness after installing our security package, mostly though it was due to a combination of 4GB RAM and HDDs and generally age of the computers of our clients. The problem since 2.0 however, has appeared also on PCs with 16GB+ RAM, and top-shelf SSDs. 

     

    What our clients (and us as well) experience is basically this - Some programs just suddenly freezing out of nothing for like 3-10 seconds, some programs just crashing (IE for example, i know this is a known problem), boot time being extended horribly, domain-computers stuck on profile loading and general slowness and worse response time. ALL of this goes away after we uninstall Intercept X. 

     

    Now, i have read some threads - Most of the responses and "proposed solutions" or "temporary solutions" make no sense. It's all fine and sunshine to do for one or two PC, but once you get up in hundreds, maybe thousands, it's not so fun anymore. Solution for the IE crash problem seems to be to turn off Web Browser scanning - I mean, just that in itself is VERY dangerouns and stupid to do if you are concerned about security. How can Sophos, a company who prouds itself in selling security, even consider these to be viable temporary solutions? Jak suggests disabling functionality to test what is causing it - I suggest to Sophos to improve their logging, so that it isn't necessary for us to DISABLE FUNCTIONALITY to see what is causing trouble. 

     

    Today we've put in motion every contact we have at Sophos. We're also trying our feedback here on the forums. Let's see what it takes to get our issues sorted out. Response time for the support got better for a while, and now they have disallowed sending mails to support@sophos.com, and they ask us to make a ticket. Replies to those tickets seem to come much slower, in addition i have yet to find where i can track back my ticket, if i even can at all... 

  • In reply to Krystian Flemming:

    Krystian Flemming

    Now, i have read some threads - Most of the responses and "proposed solutions" or "temporary solutions" make no sense. It's all fine and sunshine to do for one or two PC, but once you get up in hundreds, maybe thousands, it's not so fun anymore. Solution for the IE crash problem seems to be to turn off Web Browser scanning - I mean, just that in itself is VERY dangerouns and stupid to do if you are concerned about security. How can Sophos, a company who prouds itself in selling security, even consider these to be viable temporary solutions? Jak suggests disabling functionality to test what is causing it - I suggest to Sophos to improve their logging, so that it isn't necessary for us to DISABLE FUNCTIONALITY to see what is causing trouble. 

    I absolutely second that.

  • In reply to nsiicm:

    I agree with last 2 posts about "temporary solutions". What we need to do is contact all the Sophos Rep , SE we have and pressure Sophos to look in to the issue. I just spoke to our IT director, he doesn’t want to disable Intercept X or part of the option.

  • We're experiencing the same issue. All around poor PC performance (from boot up to any and all functions) after the latest InterceptX 2.x update. It's truly rendering many of our computers useless and wasting valuable time of our end users as well. I've tried peeling away different services and features through the Threat Management policy and that has had NO positive impact on performance. The only thing that works now is to uninstall the end point and reinstall WITHOUT InterceptX.  Sophos - I'm sure you're aware of the issue now. What is your game plan?

  • In reply to Scot Maples:

    My game plan is to uninstall from our client base until Sophos come up with a solution or workaround. I have repeatedly asked support to see if we can somehow revert to 1.X and then halt all updates. I'd rather have customers with lesser protection than unhappy customers who can't use their machines.  It's actually quite embarrassing considering we, as a Sophos Partner, upsell Intercept X.

    I am not having much luck with support even though our case has been escalated.

  • Hello again everyone, 

     

    I'd like to ask others in this thread - are you using any other antivirus software besides Intercept X? 

    In our setup we run it with BitDefender from SolarWinds RMM as well as Web Protection software. We experience very slow loading times of certain websites - up to 10 seconds - with both Web Protection and Intercept X installed on devices (that in addition to generall slowness experienced on PCs). A solution is to turn off either Web Protection, or uninstall Intercept X again, with removal of Intercept X yielding much more promising results. 

    Could it be that Intercept X just doesn't cooperate with other AV software? 

  • In reply to Krystian Flemming:

    In our 2 test laptops we disabled Bitdefender, and only AV running is Sophos, but that doesn’t improve anything.

  • In reply to Sam Sarcar:

    Have you tried completely removing BitDefender from the machines? 

    I noticed that when we snoozed Web Protection, the issues with internet for example persisted, but when we uninstalled it completely, it got a bit better.

    We've only knowledge of 1 machine where we ran Intercept X without BitDefender - it didn't help in that case as well. 

     

    In addition - surprisingly enough - the issues seem to disappear on SOME computers after a restart. Not on all of them, and in certain cases they disappear for few hours, just to come back and bite again.  

  • In reply to Krystian Flemming:

    Honestly speaking, I don’t want to uninstall this and that and disable this service and that service. We all know that the issue is Intercept X. We just need to keep pushing Sophos to address the issue. So far it seems like Sophos not addressing this issue , if they are then they are very quiet about it. I even pointed out this thread to our SE who escalated the issue but nothing so far from Sophos.

  • In reply to Sam Sarcar:

    I agree completely, but i asked purely out of curiosity. Since Sophos seems to ignore issues, we're trying internally to discover what's actually going on. Then, we can send all info we have to Sophos Support again. Maybe if we figure it out for them, they will finally react :)

  • In reply to Sam Sarcar:

    I have to agree with Sam. I can also confirm that Intercept X on it's own is causing major issues with the 2.X update. I installed InterceptX on a vanilla Surface Pro 4 with no other A/V running apart from inbuilt Window Defender and here are my results. 

    Surface Pro 4 - Pre InterceptX

    27 seconds - restart to login screen

    5 seconds to load desktop after entering credentials

    30 seconds to load Skype for Business

    2 seconds to launch Task Manager

     

    Surface Pro 4 - Post InterceptX

    46 seconds - restart to login

    35 seconds to load desktop after entering credentials

    115 seconds to load Skype for Business

    10 seconds to load task manager

     

    I have also pointed this thread out to Support here in Australia and to our account manager. Still waiting ........

  • In reply to George Khalil:

    George Khalil

    I have to agree with Sam. I can also confirm that Intercept X on it's own is causing major issues with the 2.X update. I installed InterceptX on a vanilla Surface Pro 4 with no other A/V running apart from inbuilt Window Defender and here are my results. 

    Surface Pro 4 - Pre InterceptX

    27 seconds - restart to login screen

    5 seconds to load desktop after entering credentials

    30 seconds to load Skype for Business

    2 seconds to launch Task Manager

     

    Surface Pro 4 - Post InterceptX

    46 seconds - restart to login

    35 seconds to load desktop after entering credentials

    115 seconds to load Skype for Business

    10 seconds to load task manager

     

    I have also pointed this thread out to Support here in Australia and to our account manager. Still waiting ........

     

    I forgot to mention, I also disabled the various policies one by one, until everything was disabled and that made ZERO effect on performance.  Just having Intercept X 2.X installed with all features disabled is an issue! 

  • In reply to Sam Sarcar:

    Well I didn’t uninstall Bitdefender but it’s disable via GPO on test laptops.

    I did see some improvement in boot time ( may be 5 sec) when I disabled following services in intercept X

    Protect from master boot record ransomware

    Mitigate exploits in vulnerable applications

    Protect processes

    Protect critical functions in web browsers (Safe Browsing)

    Disabling “Safe browsing” and “ Mitigate exploits in vulnerable applications”   stop the IE crashing.