Once in a while I get a high CPU alert on one of our VM file servers. Looking at the Windows Resource Monitor shows Cisco AMP for Endpoints Connector with high CPU usage. There is no scan running and the connector shows that the service is stopped. I'm not an AMP guy so maybe I'm just not understanding something, but this seems unusual to me.
There is no scan running. What else would cause high CPU usage?
Also how could the connector say the service is stopped during this?
Long story short you mention that this is a file server for VMs which I would image there is quite a lot of disk I/O as devices or VMs access their need files for daily operation. This would cause AMP to scan or monitor those files as they are modified (read, write, executed, moved, copied, etc.). You may be able to identify what files are being monitored from the resource monitor by checking the sfc.exe process and navigating to the disk tab. This should show you what AMP is looking at. You would need to create an exclusion for those files or path to avoid high CPU. If its a particular program that is brokering the files you could create a Process File Scan exclusion or you could create a Path exclusion if its due to a particular folder.
As for the service stopped this may be due to a known bug where if multiple users are logged in to the same system only the first user can see that the AMP service is running. You would need to log all other users out in order for consecutive users to see the service as running. You can verify by opening Task Manager and under the users tab verify that you are the only user logged in. Please see bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc64688/?rfs=iqvred for more information about that.
Please let me know if you have any other question.
When we said the word “hybrid” in the past, it usually recalled the image of a new variety of plant or maybe an electric car. These days, it applies to the workplace too.
The future of work isn’t “changing” to a h...
Thanks for attending our Ask the Experts (ATXs) session! Here’s the post-session resources for easy reference.
New to ATXs? An ATXs session, offered at no cost, is an hour of real-time learning led by Cisco experts, who will answer your technology q...
Cisco Secure Endpoint
New packages fit for every organization
Every Cisco Secure Endpoint (formerly AMP for Endpoints) package comes with Cisco SecureX built-in. It’s our cloud-native platform that integrates all your security solutions into one view wit...
Our Cisco experts and guests chat about how the integration of Cisco Secure Firewall + Secure Workload is securely accelerating application delivery by allowing NetOps to start running at DevOps speed, and what that means for business success.