FIXED: Sophos System Protection Service (SSPService.exe) has high RAM Usage when using Splashtop

0
Sophos System Protection Service

Issue / Fault definition

We started to receive calls to our helpdesk around 8 am after the bank holiday break. Users initially reported slow boot-up of client devices, Internet dropouts when they finally did get logged on and slow server access. Upon investigating it was found that the Sophos System Protection Service (SSPService.exe) had high RAM Usage of 95%+ when Splashtop is installed on the server. This is due to the logs being created by Splashtop in the location “C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\” and being constantly scanned by Sophos.

Splahtop logs

Impact

The impact of this will be that the server is unusable as all the memory is being used on the server by the Sophos System Protection Service (SSPService.exe) service scanning the Splastop logs.

Known Fixes / Solutions

The fix for this is to add the path “C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\” to the Sophos Global exceptions list so that Sophos System Protection Service (SSPService.exe) no longer scans the folder location continuously.

2023 05 30 13 25 00 Sophos Central and 5 more pages Work Microsoft​ Edge

Once the exceptions are in place for the device to pick up the policy, the service needs to be rebooted. To do this, you may need to central or locally disable Sophos Tamper protection to gain access to end the service manually and then reboot it.

Veeam issues

We have also found that the problem affects Veeam giving the error below. A reboot resolves this.

2023 05 30 15 09 15 Elements HV TeamViewer

Splashtop issues

You can run the following if you are a SyncroMSP Customer and must re-install Splashtop due to HUGH CPU usage from the SRAgent.exe service. Thanks to j.mcbride for the script

The high CPU usage from Splashtop also causes high CPU usage for Sophos. Reinstalling Splahtop solves both issues.

Before re-install

2023 05 31 09 43 20 IPMAT HV 01 IPMAT HV 01 TeamViewer

After re-install, you can see the CPU usage drop rapidly

2023 05 31 11 19 07 Venn Griffin Primary School GFN HVSERVER01
Import-Module $env:SyncroModule

# Uninstall Splashtop Streamer
$Program = "Splashtop Streamer"
$INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, UninstallString
$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, UninstallString
$SEARCH =$Program
$RESULT =$INSTALLED | ?{ $_.DisplayName -ne $null } | Where-Object {$_.DisplayName -match $SEARCH } 
Write-Host "We fould the following program match: $RESULT"

if ($RESULT.uninstallstring -like "msiexec*") {
$ARGS=(($RESULT.UninstallString -split ' ')[1] -replace '/I','/X ') + ' /q'
        Start-Process msiexec.exe -ArgumentList $ARGS -Wait
} else {
        Start-Process $RESULT.UninstallString /VERYSILENT -Wait
}

# Clear Streamer UUID
Set-Asset-Field -Name "Splashtop UUID" -Value ""

# Force Sync
$UpdateTime = (Get-Date).ToUniversalTime().AddMinutes(5).ToString("yyyy-MM-ddTHH:mm:ss.0000000Z")
#Update Syncro last_sync registry value
Set-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\RepairTech\Syncro" -Name "last_sync" -Value "$UpdateTime"
 
function Run-InNewProcess{
  param([String] $code)
  $code = "function Run{ $code }; Run $args"
  $encoded = [Convert]::ToBase64String( [Text.Encoding]::Unicode.GetBytes($code))
 
  start-process -WindowStyle hidden PowerShell.exe -argumentlist '-windowstyle','hidden','-noExit','-encodedCommand',$encoded
}
 
$script = {
    $CurrentDateString = (Get-Date).ToString("yyyyMMdd")
    $LogLocation = "C:\ProgramData\Syncro\logs\$CurrentDateString-Syncro.Service.Runner.log"
    
    try {
        Import-Module $env:SyncroModule -erroraction stop 
    }
    catch {
        $env:RepairTechUUID = (Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\RepairTech\Syncro" -Name "uuid").uuid
        $env:RepairTechApiBaseURL = "syncromsp.com"
        $env:RepairTechApiSubDomain = (Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\RepairTech\Syncro" -Name "shop_subdomain").shop_subdomain
        $env:RepairTechFilePusherPath = "$($env:PROGRAMDATA)\Syncro\bin\FilePusher.exe"
 
        Import-Module "$($env:PROGRAMDATA)\Syncro\bin\module.psm1" 3>$null
    }
    
    Start-Sleep -s 10; 
    Restart-Service -Name "Syncro" -Force
    
    Log-Activity -Message "Restarted Syncro Service for Full Sync" -EventName "SyncroRestart"
 
    # Hack to get Get-Content -wait to work properly
    $hackJob = Start-Job {
      $f=Get-Item $LogLocation
      while (1) {
        $f.LastWriteTime = Get-Date
        Start-Sleep -Seconds 1
      }
    }
    
    # Job that confirms if the sync happened
    $job = Start-Job { param($LogLocation)
            try {
                Import-Module $env:SyncroModule -erroraction stop 
            }
            catch {
                $env:RepairTechUUID = (Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\RepairTech\Syncro" -Name "uuid").uuid
                $env:RepairTechApiBaseURL = "syncromsp.com"
                $env:RepairTechApiSubDomain = (Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\RepairTech\Syncro" -Name "shop_subdomain").shop_subdomain
                $env:RepairTechFilePusherPath = "$($env:PROGRAMDATA)\Syncro\bin\FilePusher.exe"
 
                Import-Module "$($env:PROGRAMDATA)\Syncro\bin\module.psm1" 3>$null
            }
        
        Get-Content $LogLocation -tail 0 -wait | where { $_ -match "Large sync complete" } |% { Log-Activity -Message "Full Sync Successful" -EventName "SyncroFullSync"; break }
    } -Arg $LogLocation
    
    # Wait for the Activity-Log job to complete or to timeout
    Wait-Job $job -Timeout 60
    
    # Cleanup jobs
    Get-Job | Stop-Job
    Get-Job | Remove-Job
}
 
Run-InNewProcess $script | Out-Null
 
Exit 0

External Links

https://support.sophos.com/support/s/article/KB-000045230?language=en_US

https://community.sophos.com/intercept-x-endpoint/f/discussions/140645/sspservice-exe-consuming-huge-amounts-of-ram

Internal Links

Found priceless insights in this blog? Support the author’s creativity – buy them a coffee!

Leave a Reply

Your email address will not be published. Required fields are marked *