search cancel

Duplicate machines growing in number on 4.6.8 server

book

Article ID: 252801

calendar_today

Updated On:

Products

Endpoint Detection and Response Endpoint Protection with Endpoint Detection and Response

Issue/Introduction

Duplicate machines growing in number on 4.6.8 Endpoint Detection and Response (EDR) on-prem appliance

Cause

  • During device enrichment process for SEPM endpoint, EDR maintains the record in ipHostNameCache so it can lookup cache based on IP and hostname when lookup by mid fails.
  • For each device, the key in ipHostName is each IP from the ipAddresses array combined with hostname
  • ipHostNameCache size was limited to 150,000. In customer's environment they had 40,000 endpoints with at least 4 IP addresses per device. So, we needed 40,000 * 4 = 160,000 IP:Hostname keys in the cache. This caused frequent LRU evictions from iphostname cache
  • The cache was not locked long enough between cache.getAll() calls and cache.getIfPresent(). When EDR loaded mids in the cache in the getAll() call the they were being simultaneously evicted by LRU removal thread causing exceptions

Resolution

Please upgrade to EDR 4.7 where this behavior no longer occurs.