App Control: Agent process showing high CPU usage on Windows Server during Windows Updates
search cancel

App Control: Agent process showing high CPU usage on Windows Server during Windows Updates

book

Article ID: 288470

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Agent process showing high CPU usage on Windows Server during Windows Updates

Environment

  • App Control Agent: All Supported Versions

Cause

Analysis.log shows cyserver.exe generating the maximum operations at the time of Windows update:
 
<AnalysisResult Severity="Info" Subsystem="Processes">Top file writes: Process[c:\program files\palo alto networks\traps\cyserver.exe] Count[20021]</AnalysisResult>

Resolution

  • Ensure all required AV exclusions for App Control Agent are applied to the third party AV solutions running on the agent, if any
  • Add a kernel process exclusions to ignore operations by c:\program files\palo alto networks\traps\cyserver.exe:
  1. Login to the App Control console
  2. Navigate to https://<Server>/agent_config.php -> Add New Config
  3. Set properties as follows:
Property Name: CB - Palo Alto Process Exclusions
HostID: A value of 0 here will apply to all endpoints, or enter the HostID of a specific endpoint
Value: kernelProcessExclusions=*\Program Files*\Palo Alto Networks\Traps\cyserver.exe:4192127
Macros: Leave blank
Status: Enabled
Create for: your discretion here

Note: Value 4192127 will ignore all file operations except Execute and ScriptExecute 

Additional Information

  • The value of 2094975 should be used for Agents on version 7.2.2 and below, this value performs the same function as 4192127
  • The 4192127 value is used for Agents on version 8.1.0 and above