cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

ENSL memory consumption

Hello,

We are migrating VirusScan Enterprise for Linux version 2.0.2 to the lastest version of ENSL version 10.5.0 but when are facing a bad suprise. When VirusScan for linux used about 500 Mb of memory, ENSL use frequently more than 1.5Gb of memory.

On a linux web server (debian 9), which have 2Gb of memory, the process isectpd use 65.0 % of the memory (1.3 GB on RES memory and 3.46 GB on VIRT memory) . When we start the migration, our UNIX team receive lot of memory alert that never had before. I think this consumption is really huge for a server (65.0 % for the server which only host an apache server). Are you facing the same behaviour ? There is something to do to use less memory ?

Thanks,

Regards

Arnaud

6 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: ENSL memory consumption

Are there exclusions in place setup for ENSL?

 

I have seen several occasions where OAS (On-Acccess Scanning) would consume 65% - 99%, sometimes even above 120% of the CPU depending on what was occurring on an endpoint.

 

I would recommend checking your resources with the top command:

top -ci

to see what all is running at the time of the CPU / memory spike. If you can see /opt/isec/ens/threatprevention/isectpd it's probably something within the ENSL suite that's hitting this system hard.

 

In which case you can check the logs for ENS in the following directory:

/opt/isec/ens/threatprevention/var/

 

Let me know if any of this information helps!

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 7

Re: ENSL memory consumption

@arnaudgirard I agree with @User91972758 initial suggestions for next steps investigation in order to learn more about what is occurring during these spikes. If you see that the scanner is what is running high in your top output, you can follow the instructions within KB89711 to view the files that are being scanned in order to see if you have a particular file/process that is being scanned in excess that could be resolved by implementing a strategic OAS exclusion.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Highlighted

Re: ENSL memory consumption

Hello,

Thanks for these informations,

Hoewever, my remark is not realy for CPU usage but more for memory usage.

For example on this server where only a little web server turn, ENSL take lot of resident memory (3 process with ~ 20 % 😞

Server1.PNG

PS aux command : Server1B.PNG

Another server  (3 process with ~ 16 % 😞

server2.PNG

I don't know if these behaviour are normal but when we migrate from VSE for Linux to ENSL, we faced some incident because of memory consumption of ENSL (VSEL is really lighter than ENSL) on several servers which are not realy overtsized for memory.


Thanks !

Regards

Arnaud

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 7

Re: ENSL memory consumption

Hi Arnaud,
That's definitely interesting behavior. A lot of time what I see is more CPU usage than memory usage. Have you been able to verify that there are not files / directories being actively scanned that may need to be excluded?

I apologize as I should have maybe mentioned that I see scanning can take up a lot of resources in general. I'd still recommend checking the OAS logs within:

/opt/isec/ens/threatprevention/var/
isecoasmgr.log

Chances are high there are files getting constantly scanned, depending on your system. Have you already moved any exclusions over from your VSE policy to your new ENSLTP policies?

Best Regards,
Zach
Highlighted

Re: ENSL memory consumption

Hello,

As exclusions we have :

Item Exclude Subfolders Read/Write Notes
All files of type arc -- read / write
All files of type aud -- read / write
All files of type ctl -- read / write
All files of type dbf -- read / write
All files of type flb -- read / write
All files of type frm -- read / write
All files of type jar -- read / write
All files of type log -- read / write
All files of type rdo -- read / write
All files of type trc -- read / write
All files of type trm -- read / write
All files of type war -- read / write
/dev/ Yes read / write
/etc/ Yes read / write
/media/ Yes read / write
/mnt/ Yes read / write
/nfs*/ Yes read / write
/proc/ Yes read / write
/run/ Yes read / write
/sys/ Yes read / write
/**/docker/ Yes read / write
/var/log/ Yes read / write
/u0?/ Yes read / write
/**/mongodb/ Yes read / write
/**/postgresql/ Yes read / write
/**/mysql/ Yes read / write
/var/lib/rsyslog/ Yes read / write
All files of type myi -- read / write
All files of type myd -- read / write
All files of type dbl -- read / write
*.vmdk No read / write
All files of type dtx -- read / write
/**/mongo/ Yes read / write

We aslo have these process as exclusion (no scan read/write) :

Process Process Type
httpd Low Risk
mongod Low Risk
mysqld Low Risk
java Low Risk

On this server, the only process which take cpu/memory is msqld :

mysqld.PNG

I think we have enough exclusions for this server which host a mysql and we didn't have any cpu problem.

Do you note the same memory consumption on your side ?

We do not have specific log on isecoasmgr.log :

Mar 01 10:35:02 art INFO OASManager [59444] Starting OAS Manager

 

But we are also facing issue described in this post : https://community.mcafee.com/t5/ePolicy-Orchestrator/Linux-ePO-agent-tried-to-download-an-non-existe...

KB : https://kc.mcafee.com/corporate/index?page=content&id=KB90643

Thanks

Regards

Arnaud

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 7

Re: ENSL memory consumption

Hi Arnaud,

 

I took a look at the following two sources:

But we are also facing issue described in this post : https://community.mcafee.com/t5/ePolicy-Orchestrator/Linux-ePO-agent-tried-to-download-an-non-existe...

KB : https://kc.mcafee.com/corporate/index?page=content&id=KB90643

 

The community post seems to potentially dealing with en ePO repository where that specific user was unable to replicate their MAR package. The KB seems to deal with some issues with Agent Handlers and the agent on an endpoint being unable to communicate effectively.

 

In the situation you're having I saw you were using ENSLTP 10.5.0 have you considered updating to 10.5.3? This is the version I'm using in my environemtn across prod / dev, I'm looking to try and upgrade to 10.5.5 soon as well.

 

Hopefully we can find a solution soon, and if not I'm sure submitting an SR will be of assistance as well.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community