search cancel

Recommendations for High AMD CPU on Data Center Security Advanced (DCS) Unix Agent

book

Article ID: 255156

calendar_today

Updated On:

Products

Data Center Security Server Advanced

Issue/Introduction

The following is the recommendation for high AMD CPU

Please know that each environment is different and the scanning size of files and folders need to be taken into account as well as the resources on the server

 

Environment

Release : 6.9.2

Resolution

Things to do first:

  • Exclude scanning NFS mounts
  • Add exclusions for known good applications

After mounts are excluded and known good exclusions are added, if you still see issues please try the following:

  • Reduce archive scan level from default '10' to '0'

    1. Stop the AMD service: /etc/init.d/sisamdagent stop

    2. Edit the configuration file: vim /opt/Symantec/sdcssagent/AMD/system/AntiMalware.ini   (save the changes)

....
[Scanner]
#Maximum archive level.
#Max value INT64_MAX.
#Requires service restart to apply.
scanner.max.container.depth=0

         3 Start the AMD service: ./etc/init.d/sisamdagent start

 

  • Increased onDemand threads in AntiMalware.ini (Note: this can increase performance but may also increase scan CPU)

    1. Stop the AMD service: /etc/init.d/sisamdagent stop

    2. Edit the configuration file: vim /opt/Symantec/sdcssagent/AMD/system/AntiMalware.ini   (save the changes)

Find the thread you want to increase and change the value higher than 4 but not exceeding 16.

#Max number of Scan threads can be 16.
#Requires service restart to apply.
amdmanagement.ondemand.scan.threads=4
#Max number of AutoProtect Scan threads can be 16.
#Requires service restart to apply.
amdmanagement.ap.scan.threads=4

         3. Start the AMD service: /etc/init.d/sisamdagent start

 

This would be the last option to try as this can impact scan performance: (This caps each cpu to 40% AMD, so if you have 4 cores, you could still see a maximum of 160% CPU being used)

  • Set CPU quota to limit CPU

For sisamddaemon to set 40% with the command below:

systemctl set-property --runtime sisamddaemon CPUQuota=40%

(Note: These settings will be lost on system reboot unless you create a cron job on startup)

 

If further investigation is needed enable AMD trace logging and profiling to see what is being scanned

AMD trace logging:

[<user>@<hostname>]# /etc/init.d/sisamdagent stop

[<user>@<hostname>]# vi /opt/Symantec/sdcssagent/AMD/system/AntiMalware.ini

amdmanagement.antimalware.trace.level=trace

[<user>@<hostname>]# /etc/init.d/sisamdagent start

 

Enable profiling to see what is being scanned:

su - sisips -c "/opt/Symantec/sdcssagent/IPS/sisipsconfig.sh -approfile 10"

After executing command profiling will continue for 10 mins, then copy and share below file along with trace enabled GAI with support.

/var/log/sdcsslog/amdlog/profile.log

Attachments