Sophos pulling 532MB of memory to run?

Hi there, 

I am trialling Sophos on our small office network (10 PCs). As our machines are quite old and slow, an important requirement for me is performance. This morning I logged onto my machine and noticed absolutely everything was really sluggish. I opened up task manager and found that Sophos was pulling 532MB of memory! I thought, oh, it might just be scanning. So I opened Sophos itself to check, nope nothing told me it was scanning.

I phoned Sophos support. I spoke to a young lady who first diligently took about 10 minutes in trying to get the correct spelling of my email address and company name. After what seemed to be an eternity she answered with "anything up to 1000MB is normal, so 500MB is normal. There's no problem." But my Sophos isn't scanning anything, "its normal" she said.

Is this true? It's normal for Sophos to hang around idly and suck up 500MB of memory?... is that really normal? I really hope its not otherwise Sophos is not at all for me. If it is not normal, can anyone explain by look at task manager what was consuming my resources?



  • In reply to Michelle99:

    Hi Michelle,

    Have you had any luck with support addressing the performance issues? 4 GB of RAM and an HDD should be sufficient to run the full Intercept X Advanced product, unless your machines were really up against the RAM ceiling in the first place. While the product does use a lot of working memory, it's not normal for it to slow systems like this to a crawl.

    One thing that does come to mind: when you first install Sophos Endpoint, I think it might perform a full system scan. That can take quite a while and cause a lot of disk activity. So it's possible that the slowdowns are temporary and will resolve once the initial scans are complete.

    In any case, please feel free to make use of the community here, the Sophos section on Spiceworks, and our support team to ensure you're getting the answers you need. Hopefully you'll be able to take full advantage of Intercept X Advanced in the near future!


  • In reply to Maxim-Sophos:

    Hi Maxim, thank you for your reply message. As mentioned in my initial post - - I phoned Sophos and they told me it was exactly normal. Sophos trial has been installed for a month now. Since installation, I've had a full scan scheduled twice a week at night. I've checked the log. The scans have been completed. 


    Do you have any other ideas on what I can do, I'm all ears?

  • In reply to ANGEL65:

    Hello ANGEL65,

    again, just my personal opinion.
    why do I need the classic AV
    as said, Intercept X and its siblings are likely not malware's downfall. It is - and always has been - an arms race. In the early days you could easily identify malware by certain "patterns" (i.e. byte sequences) or its checksum (surprisingly the notion that this is more or less what AV software does and needs to do seems to prevail). Malware was rare and most tools could detect you one (family of) malware. This soon became infeasible - checking a diskette with a dozen of different anti-this-or-that was more than impractical - so "universal" tools emerged that used a list of patterns and checksums. Malware started to modify the checksum of its copies and to hide telltale strings or byte sequences. Thus the task became more complex for the scanners. The next step for malware was polymorphism and server-side polymorphism. As similar techniques are used by legitimate software (e.g. to protect "intellectual property") the risk of false positives increased. Naturally it's more and more appealing to wait for the malware to reveal itself and catch it just before it will cause harm.
    Nevertheless the detection rate of classic AV is still very good: So why not also preventing malware from running or even to get downloaded instead of only waiting for it to exhibit malicious behaviour? cloud based "Mugshots" work if you use them infrequently - or you cache them, IMO they aren't a replacement for a local database. Live Protection is an extra lookup to get the latest information in special cases.
    Even if I no longer need Classic I'd prefer to have two independent layers. BTW - why are you running full scans? Is such a scan (whether classic or cutting-edge) really necessary? What extra protection could you get from it?


  • In reply to QC:

    Christian,  thanks for your input.  You seem to be very helpful in this forum :)

    I only run full scan weekly.  Just to double check during off peak hours.   But I have settled on my Sophos Intercept X with Advanced.  Seems to be running nicely and it has great protection.  I have plenty of RAM so I shouldn't worry about it's usage.  Only things I have disabled is web protection "Using Sophos XG" and HIPS.  Feel like HIPS slows down my PC a bit.  Hitmanpro.alert should catch most of the behavior stuff.

    Would you be able to tell me if Windows built in Exploit protection still needs to be turned on?  Intercept X Seems to do all that.  Was reading this document..

    Windows has Most of the Exploit Prevention built in.  So isn't both running doing the same checks?

    Enforce Data Execution Prevention

    Mandatory Address Space Layout Randomization

    Bottom-up ASLR


  • In reply to ANGEL65:

    Hello ANGEL65,

    Would you be able to tell me
    I'm afraid, no. I'm not using Intercept X. As I'm not aware of any recommendations I suppose you should simply leave the Windows settings alone.
    But perhaps someone with real knowledge will answer.