This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Intercept X 2.0 impacting Performance - slow?

On a new software build of windows 10 on a T450 Lenovo, we found that at the end we installed Sophos Endpoint Intercept X 2.0 and it significantly slowed down the computer.  All aspects of the computer became slow.  On first bootup, connecting the Wifi - slow.  On login, the CPU would pin at 100% for long periods of time with high memory usage.  All applications would be slow to open, printing would be very slow. This is a new laptop i5, 8 GB RAM, 256 SSD.

We would remove the Intercept X and the computer would return to normal operation.  Fast bootup, fast login, apps, etc...

Now for this customer, then use Trend Micro as their primary AV.  We have Sophos Intercept X added on for the extra protection. We did not have issues previously until the Intercept X Version went up to 2.0.  Has anyone else noticed a large performance hit with Intercept X 2.0?




[locked by: SupportFlo at 11:42 PM (GMT -7) on 12 Mar 2019]
Parents
  • After reading this post I wanted to test if my boot times are delayed, we had reports of slow boot times but havent been able to drill down into why.

    Machine I tested with:

    Dell Latitude E6540

    CPU: i7 3.0ghz

    RAM: 16gb

    Drive: SSD (dont know brand)

    OS: Windows 10 Pro 64bit

     

    Tests performed: 

    1. From a complete shutdown to desktop with all icons and taskbar icons showing

    2. A restart from a fully loaded desktop

     

    With Intercept X 2.0 & Core Agent 2.0

    Boot time from complete shutdown: First Attempt - 2 min 15sec. Second Attempt - 2 min 5 sec.

    Restart from desktop: First Attempt - 2 min 1 sec. Second Attempt - 2 min 7 sec

     

    Now for the shocking part.......

     

    With OUT Intercept X 2.0 & Core Agent 2.0

    Boot time from complete shutdown: First Attempt - 50 seconds. Second Attempt: 47 seconds.

    Restart from desktop: First Attempt - 52 seconds. Second Attempt: 51 seconds

     

    So it basically doubled my computers boot times, now 2 minutes is not a god awful amount of time to wait, but I could only imagine how a older machine would react to this as the machine I tested on is pretty beefed up. 

  • The details of the event log entries under: Applications and Services logs-Microsoft-Windows-Diagnostics-Performance/Operational might be interesting at a high level.

    Really though, I would suggest create a ETL trace of boot using Windows Performance Recorder and submit that to Sophos Support.

    Regards,

    Jak

  • Thank you for the response Jak, I am actually in the process of capturing boot times with Windows performance analyzer. Once I have more information and data I will be opening a case with Sophos. At this time I am seeing the main cause of these machines slow boot time is from a process/service called "SophosFileScanner.exe" which according to KB 13029 is the Sophos Central Core Agent 2.0.0.

    I have also been playing with some settings with the software installed on the endpoints, by turning off services and timing boot times. If I turn of every single service, it only cuts boot time by 15 seconds. I also have been testing on a different OS, model, and specs and I am duplicating these long boot times.

    I am trying not to bash Sophos as I cannot 100% sure say its their fault as I could have some settings in my Central portal that is causing these problems, but for the life of me I cannot find what it may be from playing with settings or searching every KB I can find.

Reply
  • Thank you for the response Jak, I am actually in the process of capturing boot times with Windows performance analyzer. Once I have more information and data I will be opening a case with Sophos. At this time I am seeing the main cause of these machines slow boot time is from a process/service called "SophosFileScanner.exe" which according to KB 13029 is the Sophos Central Core Agent 2.0.0.

    I have also been playing with some settings with the software installed on the endpoints, by turning off services and timing boot times. If I turn of every single service, it only cuts boot time by 15 seconds. I also have been testing on a different OS, model, and specs and I am duplicating these long boot times.

    I am trying not to bash Sophos as I cannot 100% sure say its their fault as I could have some settings in my Central portal that is causing these problems, but for the life of me I cannot find what it may be from playing with settings or searching every KB I can find.

Children
  • Did Sophos ever come back with a fix for this issue?

  • I suppose a useful and very quick test would be to make a drive exclusion for simply:

    C:

    So under the "Threat Protection" policy for the computer you're testing with set it as follows:

    Note: it says (DRIVE).

    If you remove scanning load do times improve? At least this way you know it's not just the weight of the services, the SAVService, loading virus data, etc...

    You can check the exclusion has made it in a few places at the endpoint but the value OnAccessExcludeFilePaths under:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config\
    is probably the easiest.

    If it does help then in theory an exclusion or two might suffice to restore speed.  If nothing else it would be useful info to help further understand the issue.

    If it doesn't help, disable the scanning of remote files.
    If it still doesn't help disable Tamper Protection for the computer in policy.

    These 3 tests help a lot to understand the nature of the issue.

    My next test if excluding C: helps, would be try a directory exclusion for say:

    C:\windows\

    This will cover busy directories as system32, syswow64, WinSxS, Microsoft.NET, etc... and would also be useful.

    At that point it might be worth capturing just a boot Process Monitor log with a destructive filter (to improve performance and reduce the log size) for file operations on in C:\windows\.  Once collected, add the Duration column and maybe filter to just readfile, writefile operations.

    From there it might narrow it down further.  This would be a fast way to troubleshoot the issue.

    Regards,

    Jak  

  • The performance issue will be fixed with the next Intercept X release (2.0.4) when HitmanPro will reach the version 3.7.6.

    Regards.

  • When will  this update be released?

  • Just adding my case to this. Im on Core Agent 2.0.3

     

    High spec'd Dell laptops. Running like dogs with this installed. CPU sitting, not spiking, but sitting between 85 - 90% at all times. Rendering the user getting p'd off with IT. 

     

    Please when will this be resolved ?

  • The currently planned rollout release of Central Intercept X 2.0.4  is May 2018.

    Please find more information here: http://downloads.sophos.com/readmes/sesc_interceptx_rneng.html

    Keep in mind that Sophos rolls out a version update over time before making it GA, therefore it may take some time before you receive it.

    Thank you for your patience.

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.