SEP processes appear on various Linux systems which may lead to increased system utilization
Article ID: 240470
Updated On:
Products
Issue/Introduction
You would like to prevent SEP for Linux from docking into containers, which may lead in generating high number of processes and performance issue.
Environment
Release : 14.3 RU1 and above
Cause
By design, SEP will inject into all process.
For example:
ps -eaf | grep -i sym > av-prozesse.txt
root 153731 1 0 04:00 ? 00:00:27 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 137244
root 183439 1 0 04:01 ? 00:00:28 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 137206
root 199982 1 0 11:17 ? 00:00:00 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 1498212
root 656856 1 0 Mar26 ? 00:02:28 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 633732
root 869919 1 0 Mar27 ? 00:01:47 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 838741
root 995576 1 7 Mar25 ? 05:05:30 /opt/Symantec/sdcssagent/AMD/bin/sisamddaemon
root 996192 1 0 Mar25 ? 00:21:03 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon
sisips 996277 1 0 Mar25 ? 00:05:24 /opt/Symantec/sdcssagent/IPS/bin/sisipsdaemon
dcscaf 997027 1 0 Mar25 ? 00:00:47 /opt/Symantec/cafagent/bin/cafservicemain --daemon
root 1023999 1 0 Mar25 ? 00:01:27 /opt/Symantec/sdcssagent/IDS/bin/sisidsdaemon -n 950459
Resolution
In order to prevent SEP injection, please make a chance into the configuration file:
- Locate the LocalAgent.ini "/opt/Symantec/sdcssagent/IDS/system/" from one of your Linux Agents where Docker container running (and several sisidsdaemon processes runing)
- After create a backup of the file , edit and change following line:
#Enable Container Monitor=1 # Monitor Docker Containers
by
Enable Container Monitor=0 # Monitor Docker Containers
- reboot this Linux platform
- check if you see now a single sisidsdaemon process.
Feedback
