This is an Old issue in the AV world and needs to be corrected soon! I can't believe Cisco has not gotten on this yet.

Hello @ITandCoffee,

i also opened an internal Feature Request for this.

• AMP4E-I-1144: Limit CPU usage for OnDemand Scans

Greetings,

Thorsten

BTW, you can ping your Cisco Representative to open a similar FR for you.

Greetings,

Thorsten

We also have a large enterprise client experiencing the same issue reported here.  The client runs BitDefender AV and we have most things excluded that would interfere with each other, but nonetheless the problem persists when the users access files on file servers.

Have you heard back on this request?  Did they provide a work around other than simply disabling the feature?

Thank you in advance.

We turned off the Tetra Engine in the AMP4E policy.  Only the Ethos and Speros engines are running.  The currently installed Bidefender is only for AV, no other special features are presently in use.

Hello @jdomin01sa,

have you tested to install the AMP Connector using the /skiptetra 1 installer command line? The difference is, the Tetra Driver is not installed. Even you disable the feature in the policy, the driver still exists on the system.

Greetings,

Thorsten

Hello @jdomin01sa,

what problems do you see with File Shares? Because AMP does not scan network drives.

Greetings,

Thorsten

You posed two questions:  First question regarding "/skiptetra" yes, i believe this is how we have deployed the AMP client to all the workstations along with several other CLI switches.  I will double check though just to be sure.

Second question:  When we tested each a few workstations at each of the 28 sites that we have deployed to, we effectively saw this behavior.  When accessing any files coming from a file share the CPU shot up 100% as the file was being launched.  This files were either word, excel or pdf type files from what I was told.  I myself will be engaging into the testing here shortly, but as of now the tests all showed the machine coming to a crawl during any file access that was based on a share.  We did try to disable bit defender AV product installed locally (not Tetra engine) and that did not have any affect against the high CPU usage.  The machine and the users access still exhibited the same issues.

All great questions.  Thank you for trying to help.

Just some info that we gathered today during some testing.  We found the setting that is causing he high CPU usage and high latency of copying files across the network.  Although it does not really makes sense to us, here we go.

We duplicated the current production policy and pulled out a machine that was known to be slow and latent when accessing and copy files from a network share.  This machine was bench marked prior and after the changes were made.  A significant change in behavioral speed and reduced CPU usage was identified.  The change that seems to have rectified the impact to all 2700 users on AMP, was:

the "Advanced Settings"-->"File and Process Scan"--"Monitor File copies and moves".  This setting was previous "enabled" and was causing the client to reach 100% CPU and causing really slow file transfer times.  During our initial test when this was enabled, the copy of a 350 GB file from a network share to the workstation took approximately 6+ minutes.  

Once we disabled the settings and re-polled the policy on hte client side, the client only used 30% CPU and the same file copied in just over a 1 minute time.  This was a significant increase in speed and time to copy the file from the network share.

The settings were such that the:

"On Execute Mode" = "Passive"

"Maximum File Scan Size" = "50 MB"

"Maximum Archive Scan File Size" = "100 MB"

The question remains - why do these settings not apply to the file we were copying and exclude the file from monitoring?

Secondly - Why does this setting adversely affect the client in such a manner that renders a high CPU utilization?

Sincerely,

Juan D.

Hi @Troja007 

What is the status of FR AMP4E-I-1144?

Regards Andrin

Hello,

sorry to say, no date for this i can share. There have been some updates on the Feature Request, hopefully we are getting the features into the product soon.

Greetings,

Thorsten