search cancel

SEP processes appear on various Linux systems which may lead to increased system utilization

book

Article ID: 240470

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You would like to prevent SEP for Linux from docking into containers, which may lead in generating high number of processes and performance issue.

Environment

Release : 14.3 RU1 and above

 

Cause

By design, SEP will inject into all process.

For example:

ps -eaf | grep -i sym > av-prozesse.txt


root      153731       1  0 04:00 ?        00:00:27 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 137244
root      183439       1  0 04:01 ?        00:00:28 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 137206
root      199982       1  0 11:17 ?        00:00:00 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 1498212
root      656856       1  0 Mar26 ?        00:02:28 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 633732
root      869919       1  0 Mar27 ?        00:01:47 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 838741
root      995576       1  7 Mar25 ?        05:05:30 /opt/Symantec/sdcssagent/AMD/bin/sisamddaemon
root      996192       1  0 Mar25 ?        00:21:03 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon
sisips    996277       1  0 Mar25 ?        00:05:24 /opt/Symantec/sdcssagent/IPS/bin/sisipsdaemon
dcscaf    997027       1  0 Mar25 ?        00:00:47 /opt/Symantec/cafagent/bin/cafservicemain --daemon
root     1023999       1  0 Mar25 ?        00:01:27 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 950459

Resolution

In order to prevent SEP injection, please make a chance into the configuration file:

-  Locate the LocalAgent.ini "/opt/Symantec/sdcssagent/IDS/system/"  from one of your Linux Agents where Docker container running (and several sisidsdaemon processes runing) 

-  After create a backup of the file , edit and change following line:

#Enable Container Monitor=1                             # Monitor Docker Containers

by 

Enable Container Monitor=0                             # Monitor Docker Containers

- reboot this Linux platform

- check if you see now a single  sisidsdaemon process.