cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
MohdAfiq
Level 9
Report Inappropriate Content
Message 1 of 2

McAfee ENS Linux best practice

Hello everyone. Can you guys suggest me best practice for ENS Linux. Especially on OAS. Customer reported that mfetpd are hitting 100% cpu usage.

 

Thank you 

1 Reply
BSharma
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: McAfee ENS Linux best practice

  1. Confirmed if ENSL Version and Kernel version is compatible.

https://kc.mcafee.com/corporate/index?page=content&id=KB93176

 

  1. You apply the McAfee suggested default exclusions as mentioned below and test if its still utilizes the high CPU.  

Ref: https://kc.mcafee.com/corporate/index?page=content&id=KB88807&locale=en_US

Here is the list of default exclusions in ENSLTP:

  • arc
  • ctl
  • dbf
  • dbl
  • dtx
  • frm
  • jar
  • log
  • myd
  • myi
  • rdo
  • vmdk
  • war

To configure the above exclusions using ePO:

  1. Log on to the ePO console.
  2. Click System Tree.
  3. Select a system where you need to modify the policy.
  4. Click Actions and select AgentModify Policies on a Single System.
  5. Select Endpoint Security Threat Prevention from the Product drop-down list.
  6. Select the On-Access Scan policy.
  7. Click Show Advanced.
  8. Navigate to the Process Settings section, Exclusions list.
  9. Click Add.
  10. Select File type (can include the ? wildcard) and type the first extension "arc" from the list above.
  11. Click Save.
  12. Repeat steps 9–11 to add the rest of the extensions.

 

 

 

  1. If its still utilizes high CPU then you may refer following instruction to enable OAS activity Monitor and capture its logs to confirm  the scanning request and try excluding those highest scanning request.

 

Please follow the KB: https://kc.mcafee.com/corporate/index?page=content&id=KB89711

 

Enable and capture of logs for 5 min during the high CPU with following  command:

 

To enable the On-Access Scan activity monitor:

10.6.5 & Prior: /opt/isec/ens/threatprevention/bin/isecav --oasactivitylog enable

10.6.6 & Later: /opt/McAfee/ens/tp/bin/mfetpcli --oasactivitylog enable

 

capture the above log  for 5 min during high CPU utilization.

 

To save the contents of this file in a text file:

10.6.5 & Prior: cat /opt/isec/ens/threatprevention/var/isectpdactivity.log | tee ENSLScanningFiles.txt

10.6.6 & Later: cat /var/McAfee/ens/log/tp/mfetpdactivity.log | tee ENSLScanningFiles.txt

 

Note: Don't forget to stop the OAS activity monitor .

 

To disable On-Access Scan activity monitor:

10.6.5 & Prior: /opt/isec/ens/threatprevention/bin/isecav --oasactivitylog disable

10.6.6 & Later: /opt/McAfee/ens/tp/bin/mfetpcli --oasactivitylog disable

 

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community