Protection Engine services spike to 100% CPU utilization when Tanium is used in the environment

book

Article ID: 225562

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS Protection for SharePoint Servers

Issue/Introduction

You notice the Symantec Protection Engine (symcscan on Linux) process take 100% CPU utilization until the service is manually terminated. If the scanner is enrolled in the Centralized Cloud Console, you instead see the Symantec Protection Engine process taking 50% CPU utilization with the Symantec CAF Service (cafservicemain on Linux) service taking 50% CPU utilization until the services are manually terminated.

Cause

There is an unexpected interaction between Tanium and Protection Engine (SPE) that causes the services mentioned above to enter a state that utilizes all CPU resources.

Environment

  • SPE 8.0 through SPE 8.2.1
  • Tanium

Resolution

This issue will be fixed in SPE 8.2.2. Please update to SPE 8.2.2 as soon as it is available. A workaround is available if upgrading is not feasible.

Workaround

You can exclude ports 9001 and 9002 from Tanium scanning on any SPE scanner. This will prevent the interaction that causes the issue.