search cancel

SEP processes appear on various Linux systems which may lead to increased system utilization

book

Article ID: 240470

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You would like to prevent SEP for Linux from docking into containers, which may lead in generating high number of processes and performance issue.

Cause

By design, SEP will inject into all process.

For example:

ps -eaf | grep -i sym > av-prozesse.txt


root      153731       1  0 04:00 ?        00:00:27 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 137244
root      183439       1  0 04:01 ?        00:00:28 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 137206
root      199982       1  0 11:17 ?        00:00:00 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 1498212
root      656856       1  0 Mar26 ?        00:02:28 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 633732
root      869919       1  0 Mar27 ?        00:01:47 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 838741
root      995576       1  7 Mar25 ?        05:05:30 /opt/Symantec/sdcssagent/AMD/bin/sisamddaemon
root      996192       1  0 Mar25 ?        00:21:03 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon
sisips    996277       1  0 Mar25 ?        00:05:24 /opt/Symantec/sdcssagent/IPS/bin/sisipsdaemon
dcscaf    997027       1  0 Mar25 ?        00:00:47 /opt/Symantec/cafagent/bin/cafservicemain --daemon
root     1023999       1  0 Mar25 ?        00:01:27 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 950459

Environment

Release : 14.3 RU1 and above

 

Resolution

In order to prevent SEP injection, please make a chance into the configuration file:

-  Locate the LocalAgent.ini "/opt/Symantec/sdcssagent/IDS/system/"  from one of your Linux Agents where Docker container running (and several sisidsdaemon processes runing) 

-  After create a backup of the file , edit and change following line:

#Enable Container Monitor=1                             # Monitor Docker Containers

by 

Enable Container Monitor=0                             # Monitor Docker Containers

- reboot this Linux platform

- check if you see now a single  sisidsdaemon process.