Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
27538
Views
0
Helpful
3
Replies

High CPU usage after install

sbateman17
Level 1
Level 1

‎09-28-2016 10:32 AM - edited ‎02-20-2020 09:02 PM

We have just installed AMP for endpoints on all of our workstations.  We now seem to be getting a lot of complaints about slowness, when I go into Task Manager on there PCs the process (sfc.exe) is a lot of times consuming their CPU.  I checked too see if it was scanning which it is not per the workstation or Dashboard.  Is there any steps we can take on the Sourcefire connector to keep the CPU usage fairly low.

8 people had this problem
Labels:
0 Helpful
3 Replies 3

Rick Rowe
Level 1
Level 1

‎09-29-2016 07:59 AM

We had the same issue with servers and had to create exclusion lists for several types of devices. Did you try the recommended exclusion list from cisco? If so, the check the DIAG tool.

http://www.cisco.com/c/en/us/support/docs/security/advanced-malware-protection-endpoints/118802-technote-fireamp-00.html

0 Helpful

sbateman17
Level 1
Level 1
In response to Rick Rowe

‎09-29-2016 09:18 AM

Thanks Rick, this helped a lot.  It seems the generic exclusions Cisco had for McAfee were a little outdated from what we have with McAfee.  McAfee recently upgraded their Endpoint Solution to ePolicy cloud based solution, so the file paths which they had us exclude were actually not valid on our Endpoints.  I thought this would have covered it (CSIDL_PROGRAM_FILES\Common Files\McAfee) but it apparently does not, maybe I am wrong here but I added this Path: to our exclusions list. 

Path: C:\Program Files\Common Files\McAfee\AVSolution\mcshield.exe

After doing so the sfc.exe process drastically dropped to <1% on my CPU usage.  I will continue to monitor but I believe this helped.   Thanks again.  

0 Helpful

Jetsy Mathew
Cisco Employee
Cisco Employee
In response to sbateman17

‎10-02-2016 12:44 AM

Hello Sbateman,

The behaviour what you saw with the latency is expected if you didnt use the exclusions. To isolate the issue as a best practice , you can try installing the Fireamp in a test machine and put these exclusions and monitor for few days.

http://www.cisco.com/c/en/us/support/docs/security/advanced-malware-protection-endpoints/118802-technote-fireamp-00.html

If it still continues check the policy that has applied for this machines .If the behaviour continues, then as the second test please disable the policy and see if the latency reduces. 

Rate and mark the answers correct and the posts which helps you

Regards

Jetsy 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents