2 Replies Latest reply on Jun 27, 2008 12:16 PM by Jprader

    RPCserv.exe at high CPU, Exchange drops connections

      I've had a problem twice in the last few days.

      System: Exchange 2000 SP3, VirusScan 8.0i (centrally managed through ePO 3.5), GroupShield 6.02.

      The Exchange server suddenly starts freezing up all of its Outlook clients. Logging in to the server and checking task manager shows RPCserv.exe running at 90+% CPU. Event viewer contains a McAfee event indicating that VirusScan has just started. After RPCserv.exe calms down (about 10 minutes or so), the McAfee services (McInUse.exe, McScript.exe) start using heavy CPU for a few minutes. After a total of about 10-15 minutes, everything returns to normal.

      Any ideas?
        • 1. RE: RPCserv.exe at high CPU, Exchange drops connections
          Check you are running the latest patches on GroupShield.

          The following is a KB article from McAfee which may help:


          Solution ID: kb40834
          Title: RPCServ.exe generates high CPU usage (DisableAutoRev)


          Question or Problem:
          RPCServ.exe generates high CPU usage.
          RPCServ.exe generates high Memory/Load usage.

          RPCServ.exe generates high Paging File usage.

          Restarting GroupShield Services returns the load to normal usage for the next few days.


          Solution1: IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, see the following Microsoft Knowledge Base article: http://support.microsoft.com/kb/256986/EN-US/.

          Create the following registry key and set the value accordingly.

          Click Start, Run, type Regedit and click OK.
          Navigate to: [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\McAfee GroupShield].
          In the right-pane, right-click and choose New, DWORD Value.
          Type DisableAutoRev and press ENTER.
          Change the value of this new entry to either 0 or 1 according to the behavior required below:

          0 (VSAPI stamp changes to reflect Engine, DAT and EXTRA.DAT version)
          1 (VSAPI stamp is not updated)

          Close the Registry Editor.


          See also:

          KB40837: Resubmitting items for scanning when using DisableAutoRev with McAfee GroupShield 6.0.1


          McAfee GroupShield 6.0.1 for Microsoft Exchange 2000
          McAfee GroupShield 6.0.2 for Microsoft Exchange 2000
          Microsoft Exchange 2000
          Microsoft Exchange 2003

          Cause of Problem:

          In previous versions of McAfee GroupShield, it was possible to disable the changing of the Virus Scanning API (VSAPI) stamp value via the user interface (AutoRevDat version). In McAfee GroupShield 6.0 this property was not available, therefore the product updated the stamp upon every time a new Engine, DAT, or EXTRA.DAT was used.

          The VSAPI stamp registry value is compared to the VSAPI message property upon accessing message. If there a discrepancy exists, the message will be re-scanned by the On-Access scanner.

          While this may be best for keeping all messages scanned with the latest Engine and DAT combinations, it also puts the highest load on the server because messages are re-scanned upon access after a DAT update. This issue is compounded by daily DAT updates provided by McAfee.

          With Service Pack 1, a new registry entry is created which allows an administrator more control of this behavior.

          Changes Affecting
          this Problem:
          Installed Patch 1.

          Last Modified:

          • 2. RPCServ.exe issue resolved
            We saw high CPU utilization with RPCServ.exe. We resolved the issue by using the Default Config. file (rather than the config file we imported from another server) AND
            by using the fix in McAfee KB40834. We are running Groupshield 6.0.2 w/Patch1.