FIXED: Sophos System Protection Service (SSPService.exe) has high RAM Usage when using Splashtop
Issue / Fault definition
We started to receive calls to our helpdesk around 8 am after the bank holiday break. Users initially reported slow boot-up of client devices, Internet dropouts when they finally did get logged on and slow server access. Upon investigating it was found that the Sophos System Protection Service (SSPService.exe) had high RAM Usage of 95%+ when Splashtop is installed on the server. This is due to the logs being created by Splashtop in the location “C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\” and being constantly scanned by Sophos.
Impact
The impact of this will be that the server is unusable as all the memory is being used on the server by the Sophos System Protection Service (SSPService.exe) service scanning the Splastop logs.
Known Fixes / Solutions
The fix for this is to add the path “C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\” to the Sophos Global exceptions list so that Sophos System Protection Service (SSPService.exe) no longer scans the folder location continuously.
Once the exceptions are in place for the device to pick up the policy, the service needs to be rebooted. To do this, you may need to central or locally disable Sophos Tamper protection to gain access to end the service manually and then reboot it.
Veeam issues
We have also found that the problem affects Veeam giving the error below. A reboot resolves this.
Splashtop issues
You can run the following if you are a SyncroMSP Customer and must re-install Splashtop due to HUGH CPU usage from the SRAgent.exe service. Thanks to j.mcbride for the script
The high CPU usage from Splashtop also causes high CPU usage for Sophos. Reinstalling Splahtop solves both issues.
Before re-install
After re-install, you can see the CPU usage drop rapidly
Import-Module $env:SyncroModule # Uninstall Splashtop Streamer $Program = "Splashtop Streamer" $INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, UninstallString $INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, UninstallString $SEARCH =$Program $RESULT =$INSTALLED | ?{ $_.DisplayName -ne $null } | Where-Object {$_.DisplayName -match $SEARCH } Write-Host "We fould the following program match: $RESULT" if ($RESULT.uninstallstring -like "msiexec*") { $ARGS=(($RESULT.UninstallString -split ' ')[1] -replace '/I','/X ') + ' /q' Start-Process msiexec.exe -ArgumentList $ARGS -Wait } else { Start-Process $RESULT.UninstallString /VERYSILENT -Wait } # Clear Streamer UUID Set-Asset-Field -Name "Splashtop UUID" -Value "" # Force Sync $UpdateTime = (Get-Date).ToUniversalTime().AddMinutes(5).ToString("yyyy-MM-ddTHH:mm:ss.0000000Z") #Update Syncro last_sync registry value Set-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\RepairTech\Syncro" -Name "last_sync" -Value "$UpdateTime" function Run-InNewProcess{ param([String] $code) $code = "function Run{ $code }; Run $args" $encoded = [Convert]::ToBase64String( [Text.Encoding]::Unicode.GetBytes($code)) start-process -WindowStyle hidden PowerShell.exe -argumentlist '-windowstyle','hidden','-noExit','-encodedCommand',$encoded } $script = { $CurrentDateString = (Get-Date).ToString("yyyyMMdd") $LogLocation = "C:\ProgramData\Syncro\logs\$CurrentDateString-Syncro.Service.Runner.log" try { Import-Module $env:SyncroModule -erroraction stop } catch { $env:RepairTechUUID = (Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\RepairTech\Syncro" -Name "uuid").uuid $env:RepairTechApiBaseURL = "syncromsp.com" $env:RepairTechApiSubDomain = (Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\RepairTech\Syncro" -Name "shop_subdomain").shop_subdomain $env:RepairTechFilePusherPath = "$($env:PROGRAMDATA)\Syncro\bin\FilePusher.exe" Import-Module "$($env:PROGRAMDATA)\Syncro\bin\module.psm1" 3>$null } Start-Sleep -s 10; Restart-Service -Name "Syncro" -Force Log-Activity -Message "Restarted Syncro Service for Full Sync" -EventName "SyncroRestart" # Hack to get Get-Content -wait to work properly $hackJob = Start-Job { $f=Get-Item $LogLocation while (1) { $f.LastWriteTime = Get-Date Start-Sleep -Seconds 1 } } # Job that confirms if the sync happened $job = Start-Job { param($LogLocation) try { Import-Module $env:SyncroModule -erroraction stop } catch { $env:RepairTechUUID = (Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\RepairTech\Syncro" -Name "uuid").uuid $env:RepairTechApiBaseURL = "syncromsp.com" $env:RepairTechApiSubDomain = (Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\RepairTech\Syncro" -Name "shop_subdomain").shop_subdomain $env:RepairTechFilePusherPath = "$($env:PROGRAMDATA)\Syncro\bin\FilePusher.exe" Import-Module "$($env:PROGRAMDATA)\Syncro\bin\module.psm1" 3>$null } Get-Content $LogLocation -tail 0 -wait | where { $_ -match "Large sync complete" } |% { Log-Activity -Message "Full Sync Successful" -EventName "SyncroFullSync"; break } } -Arg $LogLocation # Wait for the Activity-Log job to complete or to timeout Wait-Job $job -Timeout 60 # Cleanup jobs Get-Job | Stop-Job Get-Job | Remove-Job } Run-InNewProcess $script | Out-Null Exit 0
External Links
https://support.sophos.com/support/s/article/KB-000045230?language=en_US
