7 Replies Latest reply on Nov 23, 2010 5:46 AM by Zuz

    Rogue Detection Sensor causes 100% CPU on Hyper-V

      I have a Windows 2008 x64 (SP2) Enterprise server on Hyper-V which functions as a Domain Controller and has a Rogue Detection Sensor for that part of the subnet and geographical location. The problem is that the rssensor.exe causes the lsass.exe to use 50-80% CPU. The RSsensor itself uses about 20-50% CPU, but when the process is terminated the Local Security Authority Subsystem Service returns to 0% CPU and the system is for 70-100% idle. There is enough free memory on the Hyper-V available (only uses 3/4). We're using ePO 4.5 Patch 1, RDS 4.5, Agent 4.5 and VSE8.7i Repost 2. The Hyper-V has the RDS and VSE, but also functions as a Distributed Repository. Disabling AOS or VSE itself does not have any effect. Rebooting works for a little while. Restarting the service has no effect either.

       

      Anyone got any fresh ideas about what could be causing this?

       

       

      Added tags on 3/9/10 10:26:33 PM CET
        • 1. Re: Rogue Detection Sensor causes 100% CPU on Hyper-V

          Since McAfee Support suggested this might be caused AOS, I decided to install Patch 3 today...but without any results. Still the RSSensor.exe causes the lsass.exe to use 100% CPU.

           

           

          Added screenshot from before and after killing the RSSensor.exe process on 3/10/10 11:56:36 AM CET
          • 2. Re: Rogue Detection Sensor causes 100% CPU on Hyper-V

            Update: Case is transfered to Tier 3.

            • 3. Re: Rogue Detection Sensor causes 100% CPU on Hyper-V

              I'm seeing identical behavior, and just finished applying the April Microsoft patches. Same McAfee versions as poster, but running in VMware VM.

               

              Any resolution from McAfee yet?

               

               

              on 4/18/10 6:50:28 AM CDT
              • 4. Re: Rogue Detection Sensor causes 100% CPU on Hyper-V

                Hi kcherpj1,

                 

                I'm sorry to inform you (and all others) that we do not have a solution. After more then twelve hours of trouble shooting  (Tier 1 - 4 hours, Tier 2 - 5 hours and Tier 3 -3 hours and several hours finding out ourselfs what caused it) we decided that the costs were becoming to high and a solution was far away, because they didn't have a clue what was causing it (after first saying it was impossible that RSsensor.exe could cause this kind of behaviour). We also had the same problem on VMware two weeks ago and uninstalled the rogue sensor. Untill a fix or update for the Rogue Sensor is posted, we will not even try again. If you feel like putting in a lot of hours, be my guest. You can refer to call:  3-832609673. If McAfee wants to contact me, that's fine. If you find a solution please post it here. Good luck!

                • 5. Re: Rogue Detection Sensor causes 100% CPU on Hyper-V

                  Hi!

                   

                  I have same issue.

                   

                  Can you check up records in your System Eventlog? I have there multiple periodical event 36886 (10 times per second)  "No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this".

                   

                  RSSensor.exe connects to ldaps port (10 times per second) to localhost (that causes generation of this event and lsass.exe CPU load).

                  RDS is installed on domain controller (W2K8 R2+) on VMWare ESXi 4.1 host.

                  When I stop RDS service the generation of events also stops.

                   

                  Do you have a similar behaviour?

                   

                   

                  Message was edited by: Zuz on 10/26/10 11:24:04 AM CDT
                  • 6. Re: Rogue Detection Sensor causes 100% CPU on Hyper-V

                    Hey brotato,

                     

                    How about uninstalling the sensor from your DC, that would be my first step. Install somewhere else and troubleshoot from there.

                    • 7. Re: Rogue Detection Sensor causes 100% CPU on Hyper-V

                      Hi!

                       

                      On other DCs we don't have any problems.

                       

                       

                      Message was edited by: Zuz on 11/23/10 5:46:53 AM CST