High CPU usage by sisamddaemon by the Symantec Single Agent for Linux
search cancel

High CPU usage by sisamddaemon by the Symantec Single Agent for Linux

book

Article ID: 236571

calendar_today

Updated On:

Products

Data Center Security Server Advanced Endpoint Protection Cloud Workload Protection

Issue/Introduction

High CPU usage by sisamddaemon on the following:

  • Cloud Workload Protection (CWP)
  • Data Center Security (DCS)
  • Endpoint Protection (SEP) for Linux

Environment

  • Release : 6.9.0 + 
  • SEP 14.3 RU1+

Resolution

Decrease the default thread count for scans threads in the antimalware.ini file on the SEP for Linux -DCS/CWP agent.

  1. Set a null policy.

    su - sisips
    ./sisipsconfig.sh -r

  2. Stop agent services:

    service sisipsagent stop
    service sisidsagent stop
    service sisipsutil stop
    service sisamddaemon stop

    In case of SEP for Linux, it is enough to stop SEP client:

    [root@generic ~] # /usr/lib/symantec/stop.sh
    Stopping Agent..

  3. Open the AntiMalware.ini and AntiMalware.ini.1 and perform the changes in both files

    vi /opt/Symantec/sdcssagent/AMD/system/AntiMalware.ini
    vi /opt/Symantec/sdcssagent/AMD/system/AntiMalware.ini.1

    For a Linux system with >=16 CPU cores, SEP accepts the decrease of threads by half or quarters.

    The minimum recommended amount of CPU core to be assigned to a Linux machine with SEP client is 4.

    By default, SEP assigns in threads as much as CPU assigned to the system. If your Linux system has 8 cores assigned, AP will have by default 8 threads assigned to it; you might want to decrease this amount by half. However, 4 is the minimum to assign to AP. Therefore, it's not possible to decrease the threads to a quarter of the number of CPU cores.

    Find the thread you want to increase and change the value higher than 4, but not exceeding 16.

    #Max number of Scan threads can be 16.
    #Requires service restart to apply.
    amdmanagement.ondemand.scan.threads=4
    #Max number of AutoProtect Scan threads can be 16.
    #Requires service restart to apply.
    amdmanagement.ap.scan.threads=4

    Save the file

    :wq

  4. Restart the services

    service sisipsagent start
    service sisidsagent start
    service sisipsutil start
    service sisamddaemon start

    With SEP for Linux, it is enough to start the SEP client.

    [root@generic ~] # /usr/lib/symantec/start.sh
    Restarting Agent..

  5. Reset the policy. If only SEP Linux is applied (no DCS), you'll see the message: "Could not set policy to the most recent applied policyā€¯. This is expected.

    su - sisips
    ./sisipsconfig.sh -s

  6. Monitor to see if the issue reoccurs.

Additional Information

The more threads are being assigned to AP, the more load is being put on CPU, and the faster SEP accomplishes the real-time scan on target files, and the vice versa is true.