Once in a while I get a high CPU alert on one of our VM file servers. Looking at the Windows Resource Monitor shows Cisco AMP for Endpoints Connector with high CPU usage. There is no scan running and the connector shows that the service is stopped. I'm not an AMP guy so maybe I'm just not understanding something, but this seems unusual to me.
There is no scan running. What else would cause high CPU usage?
Also how could the connector say the service is stopped during this?
Long story short you mention that this is a file server for VMs which I would image there is quite a lot of disk I/O as devices or VMs access their need files for daily operation. This would cause AMP to scan or monitor those files as they are modified (read, write, executed, moved, copied, etc.). You may be able to identify what files are being monitored from the resource monitor by checking the sfc.exe process and navigating to the disk tab. This should show you what AMP is looking at. You would need to create an exclusion for those files or path to avoid high CPU. If its a particular program that is brokering the files you could create a Process File Scan exclusion or you could create a Path exclusion if its due to a particular folder.
I would recommend turning on debugging in your policy, gathering a debug bundle and reaching out to Cisco TAC as they can also help you identify the above as well. Take a look at this guide for an idea about what to expect. There are steps to perform this yourself but if you do not feel comfortable TAC can help you through it: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215261-analyze-amp-diagnostic-bundle-for-high-c.html
As for the service stopped this may be due to a known bug where if multiple users are logged in to the same system only the first user can see that the AMP service is running. You would need to log all other users out in order for consecutive users to see the service as running. You can verify by opening Task Manager and under the users tab verify that you are the only user logged in. Please see bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc64688/?rfs=iqvred for more information about that.
Please let me know if you have any other question.
fully agree with the statements of @dkrull. In addition, what i can see from the screenshot. Looks like Windows Defender is not deactivated? Cisco provides a Maintained Exclusion list for Defender.
So, if Defender starts a task and there is no exclusion, AMP4E will all the files touched by Defender.
Would be interesting which processes are generating much activity on the disk system.