3 Replies Latest reply on Aug 23, 2010 11:27 AM by scoutt

    Automatice response creates high CPU usage

    scoutt

      I actually had 2 auto responses I made that almost killed the server. I made one for rogue printeres and Virus detections. If I have both enabled the sqlserver service goes up to 711mb of meory usage and makes the CPU stay between 65-100% constinatly. If I disabled them it drops the CPU back to normal, between 0-25%. Memory on that service drops to 500mb. I do have a lot of filters in the rogue printer detection. up to 15 filters. 13 of those are IP adress ranges. Then for my virus detection I have 7 threat types and one Event Description. I might see why the rogue printer response woudl do that, but why woudl the other one? and what other way would I have done it? Is there a setting I missed?

       

      Just enabling the virus detection send it over the top, it really bogs the server down.

        • 1. Re: Automatice response creates high CPU usage
          jstanley

          For the RSD Response you should check your filter and make sure you have added "New Detection Equals True". This will keep the response from repeatedly triggering on machines that have already been detected.

           

          On the VSE response I'm guessing the problem is something similar...the response is being triggered very frequently. You may want to ad the filter "Threat Handled equals false" so that the response is only triggering when a virus has been detected but the remediation failed. Also you can filter out event IDs 1051 and 1059 which are actually classified as "threat events" even though they don't really indicate a virus detection. To see what those events are and to filter them go to "Menu | Configuration | Server Settings | Event filtering | Edit".

          • 2. Re: Automatice response creates high CPU usage
            scoutt

            I can try that but we do not get any emails what-so-ever, it doesn't find anything wrong. So not sure why it is bogging the serever down.

            • 3. Re: Automatice response creates high CPU usage
              scoutt

              Here is the xml part of the response

              <ResponseRule id="12" name="Virus Detection"
                  createdBy="Admin"
                  createdOn="2010-08-10 14:25:25.833"
                  modifiedBy="Admin"
                  modifiedOn="2010-08-12 07:14:25.39"
                  lastFiredOn="2010-08-20 08:34:05.26"
                  eventType="epoThreatEvent"
                  conditionURI="rule:condition?conditionSexp=%28+where+%28+and+%28+or+%28+eq+epoThreatEvent.threatType+%22virus%22+%29+%28+eq+
              epoThreatEvent.threatType+%22trojan%22+%29+%28+eq+epoThreatEvent.threatType+%22app_adware%22+%29+%28+eq+epoThreatEvent.threatType+
              %22buffer+overflow%22+%29+%28+eq+epoThreatEvent.threatType+%22app_P2P%22+%29+%28+eq+epoThreatEvent.threatType+%22app_rootkit%22+
              %29+%28+eq+epoThreatEvent.threatType+%22app_spyware%22+%29+%29+%28+ne+epoThreatEvent.eventDesc+%22Scan+Timed+Out%22+%29+%29+
              %29&amp;requiredFilter=%28+where+%28+descendsFrom+epoThreatEvent.definedAt+%222%22+%29+%29"
                  actionsURIs="command:response.send-email?body=Category+%3A+%7BlistOfThreatCategory%7D%0D%0A%0D%0AVirus+Detected%3A+
              %7BlistOfThreatName%7D%0D%0A%0D%0AEvent+%3A+++%7BlistOfThreatEventID%7D%0D%0AEvent+Action+%3A+
              %7BlistOfThreatActionTaken%7D%0D%0AEvent+Description+%3A+%7BlistOfEventDesc%7D%0D%0AAffected+Object+%3A++
              %7BlistOfTargetFileName%7D%0D%0ADetection+occured+at+%3A+%7BlistOfDetectedUTC%7D%0D%0A%0D%0AAffected+Computers+%3A++
              %7BlistOfTargetHostName%7D%0D%0AAffected+IP+Addresses+%3A++%7BlistOfSourceIPV4%7D%0D%0A%0D%0AActual+products+%3A+
              %7BlistOfAnalyzerName%7D%0D%0A%0D%0AePolicy+Orchestrator+Notification+Rule%3A+%0D%0A%0D%0AFor+additional+information%2C+see+
              the+Notification+Log+in+the+ePolicy+Orchestrator+console.&amp;importance=HIGH&amp;recipients=email%40domain.org&amp;
              subject=%7BlistOfThreatName%7D+virus+detected+on+%7BlistOfSourceHostName%7D+-+%7BlistOfSourceIPV4%7D" />
              

              I can disable that response and the server goes back to like nothing is running on it. Again, it is not detecting anyhting, we don't get an emails except for the few it does see. Like last friday, we have 1 machine hit 7 times, that as it all day long. So 7 emails should not make the server run

               


              sqlserver process is at 847K of used memory, which is higher than I have ever seen it on this box. I turn that response off (disable it) it drops down to 450K and runs fast. I also am attaching my filter for this response.