How to fix SEP High CPU conditions by having too many or duplicate Allow/Deny Exception policies created by the EDR connections
search cancel

How to fix SEP High CPU conditions by having too many or duplicate Allow/Deny Exception policies created by the EDR connections

book

Article ID: 227503

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform Endpoint Protection Endpoint Security

Issue/Introduction

When the EDR is  redeployed, renamed, or upgraded and the SEPM connection is not removed beforehand, the previous SEPM's EDR exception policies may still exist if not manually removed.  If this happens, this can create a possibility of duplicating exception policies exceeding the 65,000 exception limit, which in turn may cause High CPU of the SEP client.

For example: 

  • A customer has 35,000 SHA256 Hashes in the Deny policy in the EDR
  • The SEPM has its own defined exceptions of 5,000 apart from the EDR's allow/deny policies
  • The EDR fails and must be redeployed with a newer version
  • During redeployment the EDR is renamed
  • The "Source" for the EDR policy remains in the EDR (See image)
  • The new EDR is connected adding another 35,000 exceptions
  • The limit was exceed by 10,000 resulting in high CPU



 

Environment

EDR 4.x, SEPM 14.x

Cause

  • Total of exception policies have exceeded 65,000 limit due to duplication
  • The policies are left in place after upgrades or redeployment of SEPM and EDR

Resolution

The following steps should guide you to identify and clean up what left over policies from previous EDR connections

1)  Remove the EDR's SEPM connection

2)  Open the SEPM's Exception Policy and remove any EDR "Source" policies

3)  Open the SEPM's 'System Lockdown' policy and remove any  EDR "Fingerprint Lists"

4)  Add the EDR's SEPM connection

 

Additional Information

Related article:  High CPU on all enrolled SEP clients with more than 500 SHA256 Deny List entries in EDR

 

Powered by Wolken Software