High Disk Read I/O in customer environment
search cancel

High Disk Read I/O in customer environment

book

Article ID: 269682

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Customer noticed a spike in disk Read I/O on the SEP clients, the spike occurred after the SEPMs finished replicating.

The SEP clients was reading the ProfileManagment.dat which is updated anytime the SEPM sends out a new client policy.

This was happening every time the SEPMs would complete their scheduled replication.

Environment

Release : 14.3 RU6

Cause

This customers issue was being caused by a MD5 file that was being blocked in an Deny policy from (EDR) Endpoint Detection and Response.

The EDR deny policy updates the File Fingerprint list used by the SEPM and enables System Lockdown by default.

We confirmed that the user was not making changes to the SEPM policies or to the EDR deny policy.

 

Resolution

Removing the MD5 from the customers EDR deny policy, stopped the File Fingerprint list from being updated every time that the SEPMs completed their replication.

Additional Information

This article will be updated when the investigation is complete as to why the EDR deny policy was causing the SEPM File Fingerprint list to be updated when no changes were being made in EDR or by the user.