Experiencing high CPU for the sisamddaemon on Linux Agent.
search cancel

Experiencing high CPU for the sisamddaemon on Linux Agent.

book

Article ID: 236571

calendar_today

Updated On:

Products

Data Center Security Server Advanced Endpoint Protection Cloud Workload Protection

Issue/Introduction

Seeing high CPU on the CWP/DCS/SEP Linux anti-malware agent. Specifically the sisamddaemon.

Environment

Release : 6.9.0 + 

SEP 14.3 RU1+

Cause

Need to decrease the default scan threads in the Antimalware.ini file on the Linux -DCS/CWP agent.

Resolution

Decrease the default thread count for scans.

1. set a null policy

su - sisips
./sisipsconfig.sh -r

2. Stop agent services

service sisipsagent stop
service sisidsagent stop
service sisipsutil stop
service sisamddaemon stop

In case of SEP for Linux, it is enough to stop SEP client:

[root@generic ~] # /usr/lib/symantec/stop.sh
Stopping Agent..

3. Open the AntiMalware.ini and AntiMalware.ini.1 and perform the changes in both files

vi /opt/Symantec/sdcssagent/AMD/system/AntiMalware.ini
vi /opt/Symantec/sdcssagent/AMD/system/AntiMalware.ini.1

For a Linux system with >=16 CPU cores, SEP accepts the decrease of threads by half or quarter.

The minimum recommended amount of CPU core to be assigned to a Linux machine with SEP client is 4.

By default SEP assigns in threads as much as CPU assigned to the system, meaning if your Linux system has 8 cores assigned, AP will have by default 8 threads assigned to it, and you might want to decrease this amount by half, however 4 is the minimum to assign to AP, thus there is no possibility to decrease the threads to quarter the number of CPU cores.

Find the thread you want to increase and change the value higher than 4 but not exceeding 16.

#Max number of Scan threads can be 16.
#Requires service restart to apply.
amdmanagement.ondemand.scan.threads=4
#Max number of AutoProtect Scan threads can be 16.
#Requires service restart to apply.
amdmanagement.ap.scan.threads=4

Save the file

:wq

4. Restart the services

service sisipsagent start
service sisidsagent start
service sisipsutil start
service sisamddaemon start

In case of SEP for Linux, it is enough to start SEP client

[root@generic ~] # /usr/lib/symantec/start.sh
Restarting Agent..

 

5. Reset the policy

su - sisips
./sisipsconfig.sh -s

Monitor to see if the issue reoccurs.

Additional Information

The more threads are being assigned to AP, the more load is being put on CPU, and the faster SEP accomplishes the real-time scan on target files, and the vice versa is true.

Powered by Wolken Software