'sisamddaemon' process of Symantec Endpoint Protection (SEP) agent was found to be utilizing 100% CPU on Linux system
This process is associated with Auto-Protect scanning feature of SEP and the issue goes away if it is disabled.
On collecting a profile log from system, it was found that scan was running repeatedly on very large files in '/var/spool' and '/var/mail' directory which are modified frequently.
The issue observed from coredump of sisamddaemon is CPU bounded load of thread and it is because dedicated thread (t2) must scan very large and frequently modified files under /var/spool and /var/mail repeatedly.
CPU usage of sisamddaemon may be different by a content found on a filesystem.
If files systems are different, there is a possibility to show a different CPU usage pattern in different machines.
Hence we do not see this issue on all the Linux machines.
This is a I/O bounded behavior of file scan engine product in general.
To resolve the issue, make exclusions for known good software and files that are frequently accessed.
You can determine which files Auto-Protect is scanning by monitoring scan activity for 10 minutes.
To do this please refer
Troubleshooting high CPU usage by sisamddaemon when Auto-Protect is enabled
At SEPM, in the Exceptions policies create below exceptions and apply to the Linux machine where SEP(sisamddaemon) utilizes high CPU.
/proc
/sys
/dev
/var/spool/
/var/lib/rpm/
/var/mail/root/
/var/log/qualys/
/usr/local/qualys/
/var/log/dynatrace/
/var/spool/mail/root/
/var/lib/dynatrace/oneagent/agent/config/