Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 11 subscribers
  • Views 9353 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central Real Time Scanning "Internet" slow down

BrianTesoroni

So I've been pulling my hair out for the past month with internet slowness, High MS when pinging, and Resolving DNS. Ithink I found the issue and not sure how I could fix it. It turns out if I disable "Internet" within the Sophos Central menu every runs alot smoother. Does anyone else experience this? Is there a fix to this?



This thread was automatically locked due to age.
  • 0

    Hi  

    Issues with poor web browsing performance are usually the cause of multiple web filters fighting for the same traffic to scan on a system. Process Monitor logs should be helpful to see what actually is causing the issue. I would recommend you to open a support case as it would require an in-depth investigation. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0

    I am having the same issue on one computer. Were you able to get any technical details on what was causing this performance issue besides just the Sophos filtering?

  • 0 in reply to Luke Deubner

    Hello  

    Does the performance issue only occur in one browser or does it occur in all browsers installed on that machine? Does it affect one website, for example, or all sites in general? Did you try running Process Monitor as  suggested to see if there are persistent processes that are running whilst browsing?

    Please confirm what specifically is affected (RAM, CPU, etc), and check which specific Sophos component(s) seem to be causing the issue, following this KB:

    Sophos Central Endpoint: Basic troubleshooting

  • 0 in reply to DianneY

    Thanks for the quick reply, Dianne. The issue I'm seeing is experienced in all browsers (Firefox, Chrome, Edge)... It seems to be most apparent any time an HTTPS connection is being made. Firefox will even show "Performing a TLS handshake to " for a second or two or three and sometimes multiple domains depending on the web site. It is most apparent when you first load that web site. Subsequently, browsing the web site is much faster. There is no apparent resource bottlenecks (RAM, CPU, disk, network). The issue disappears as soon as I disable Sophos Endpoint Real Time scanning of "Internet".

    I have just run Process Monitor, which I have used many times over the years, but it is like looking for a needle in a haystack typically. I'm not sure what I should be looking for if I've determined the delays go away when disabling the Sophos Internet Real Time scanning.

    The only other filtering system on my Windows 10 machine are Cisco Umbrella Roaming Client, which I've tried disabling, and that doesn't make any difference. There is also the built-in Windows Defender Antivirus, which continues to run in the background but is not actively scanning from my understanding.

    We have deployed this software on hundreds of machines and the only machine I have consistently seen the problem with is my own laptop.

    Other ideas? I have opened a case on this in the past and was asked to enable SWI verbose logging, which then promptly generated a 10 GB+ log file over night and filled the C volume.

  • 0 in reply to Luke Deubner

    Hello  

    Interesting that you mentioned Windows Defender - can you disable this completely and see if the issue persists? Ideally third party AV or scanning applications shouldn't be running alongside each other if they perform similar features, otherwise this may cause performance issues.

    You also mentioned Cisco Umbrella Roaming Client -- some features of this may be interacting with Real-time Scanning (Internet) features. If this application has vendor-recommended A/V exclusions, it is best to include this in your Threat Protection Policy in Sophos.

    I also found this: https://support.umbrella.com/hc/en-us/articles/230901148-Umbrella-Roaming-Client-Known-Incompatibilities-

    Perhaps adding 127.0.0.1 as a Website Exclusion (in your Threat Protection Policy's Scanning Exclusions) also helps?

    If that does not help, I would suggest uninstalling Cisco Umbrella Roaming Client completely (together with disabling Windows Defender) to see if the issue still occurs. I would think that what Cisco Umbrella Roaming client could be similar to what Sophos Internet Real-time scanning and both cannot be enabled.

  • 0 in reply to DianneY

    Thanks for the ideas, Dianne. Still no luck at this point. Here's what I have tried so far.

    Added 127.0.0.1 as a Website Exclusion in Sophos Endpoint Threat Protection policy. That didn't make any difference in my observations.

    I stopped the Cisco Umbrella Roaming Client service and verified connectivity to a reliable DNS server (9.9.9.9). That didn't make any difference in my observations.

    I verified Windows Defender Antivirus realtime scanning is already disabled. There is no supported way to uninstall Windows Defender Antivirus from Windows 10.

    I also saw that Umbrella article a few months ago and checked with Sophos technical support to see if there was any known compatibility issue with Sophos Endpoint Protection and they checked into it and found no known compatibility issues.

    Double checking Chrome for performance, I see "Establishing secure connection..." and "Waiting for ..." on loading web sites for 1 or more seconds. Web sites take about 3-10 seconds to load.

    I just checked loading www.sophos.com and it took 13 seconds to load the page.

    I disabled Sophos Real Time Internet scanning, and pages load entirely in about 2 seconds.

  • 0 in reply to Luke Deubner

    Hello Luke,

    Thanks for the update. I was thinking that the website exclusion should resolve it. If there is any other web filtering or scanning applications its executables should come up in your process monitor (procmon logs), see if anything seems to be persistent in the logs, or if it seems to need to connect to a certain address.

    Disabling services may not completely keep certain applications from injecting its processes in other applications that do similar functions, such as Sophos. I would still try uninstalling just to get that out of the picture to help isolate other application may be causing the problem.

    If anything, please raise an issue with support with the following to have this issue reviewed further:

    You may post or DM us with your ticket number and we will provide updates which may help our community users who may be seeing the same issue.

Unfiltered HTML