sisamddaemon consumes a large amount of CPU and memory when logging into a system with EDR enabled.
search cancel

sisamddaemon consumes a large amount of CPU and memory when logging into a system with EDR enabled.

book

Article ID: 238337

calendar_today

Updated On:

Products

Endpoint Security Complete Endpoint Detection and Response

Issue/Introduction

You notice when logging into a linux system that sisamddaemon uses a large amount of CPU and memory resources.   

The memory usage will continue to increase until OOM killer eventually kills the process.

/var/log/messages

Mar  4 13:46:24 sepclient01 kernel: Out of memory: Killed process 114761 (sisamddaemon) total-vm:18100244kB, anon-rss:7493384kB, file-rss:0kB, shmem-rss:4924kB, UID:0 pgtables:31148kB oom_score_adj:0         

The issue can be reproduced on any ssh login attempt. The issue does not happen if you disable EDR. 

Environment

Release : 14.3.2147.4000

Component : EDR

Resolution

This issue is resolved with the latest definitions which include SEF engine version 1.7.9.37.  To check the engine version, run the following command:

/opt/Symantec/sdcssagent/AMD/tools/sav info -e

An additional memory optimization fix is also available in product version 14.3.2167.4000.  

Additional Information

CRE-9357