Greetings kevdpc,

Long story short you mention that this is a file server for VMs which I would image there is quite a lot of disk I/O as devices or VMs access their need files for daily operation. This would cause AMP to scan or monitor those files as they are modified (read, write, executed, moved, copied, etc.). You may be able to identify what files are being monitored from the resource monitor by checking the sfc.exe process and navigating to the disk tab. This should show you what AMP is looking at. You would need to create an exclusion for those files or path to avoid high CPU. If its a particular program that is brokering the files you could create a Process File Scan exclusion or you could create a Path exclusion if its due to a particular folder.

I would recommend turning on debugging in your policy, gathering a debug bundle and reaching out to Cisco TAC as they can also help you identify the above as well. Take a look at this guide for an idea about what to expect. There are steps to perform this yourself but if you do not feel comfortable TAC can help you through it: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215261-analyze-amp-diagnostic-bundle-for-high-c.html

As for the service stopped this may be due to a known bug where if multiple users are logged in to the same system only the first user can see that the AMP service is running. You would need to log all other users out in order for consecutive users to see the service as running. You can verify by opening Task Manager and under the users tab verify that you are the only user logged in. Please see bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc64688/?rfs=iqvred for more information about that.

Please let me know if you have any other question.