Endpoint Protection

Hi,

Recently on all Windows 7 machines we have observed that the above process keeps running, terminated after a few seconds and then running and then temrinating etc... when all other applications are closed the CPU flciks between 5% and 25% on machine with a quad core CPU and 5% & 50% on a single core machine.

If I disable NTP the issue goes away after about 10 minutes and returns then it is re-enabled, on one machine i've fully removed NTP and that machine no longer has this issue, as this has not always been the case is this a recent issue caused by a Windows update or just someting we've not observed before - the sideeffects ?

I've not yet had chance to test this on a Windows XP machines but will be doing this tomorrow...

Any ideas?

We're running 11 RU6MP2 ( & MP3 on two machine always with exactly the same issue)

Regards,

Mike

Update:

After 20 minutes the machine without NTP is now doing exactly the same with COH32.exe so I guess it's not that per sé

Hello,

Try the Following steps

1. Remove PTP by modifying SEP install via Add/Remove programs
2. Install PTP by modifying SEP install via Add/Remove Programs

AND

Hi Mithun,

Unfortunately this is also happening after a full SEP uninstall, reboot, re-install (but de-selecting the NTP).

I'll give support a call tomorrow.

Regards

Confidence Online Heavy (COH) is the process for Proactive Threat Protection.

Do the PTP show Waiting for updates or do you see any error or warning related to PTP on the SEP client's logs

No recent errors on the PTP logs, there was a whitelist failure or 3 newest of which was 12 days ago but nothing after that.

All PTP def & AV defs are up-to-date, a freshly installed machine less than 2 weeks ago with fresh install of SEP is also having issue, it would appear to be a recent problem on all Windows 7 machines (not had chance to check Windows XP at this stage).

Do you have windows defender turned ON. If Yes then turn it off.

Increase the frequency of True Scan and try. You can do it in AV/AS policy...

After you open a Support ticket, please forward a full memory dump to the engineer that's handling your case to analyze it.

It might be similar to an issue that we already know and fixed in the upcoming RU7.

AravindKM,

What is the recommendation to set this to, we've already set it to every 30 minutes which we felt was about correct?

Vikram,

Windows defender has been switched off on all machines - i think this happened as part of the SEP install but not sure.

BNH,

Will RU7 likely be available before Endpoint 12.1?

After removing the PTP component the COH32.exe & COH64.exe services disappear on the respective machines and the CPU usage also drops to expected levels indicating this is the cause.

I've raised this with support and am awaiting a responce from the logs/data captures i've been requested to send.

If "Scan new processes immediately" is unticked the problem no longer exists...

It would appear that if it is ticked the COH32.exe or COH64.exe process launches a new COH32.exe or COH64.exe process to scan itself which then results in a new process loading to scan that... etc..etc..

I'm unsure what the recommended aciton for this is, but I imagine our machines are more at risk with this disabled, anyone have any experience with this/thoughts?

If this is unchecked it doesn't mean your machine is at risk Antivirus and Antispyware will still scan new processes and IPS and Firewall will still act against it.

Even PTP will scan the files its just that it won't scan the new processes it will scan after 30 mins

Have the issue on less than 0.5% of workstations (old F-S P300: Celeron 2.4 CPU, 512 Mb RAM) during upgrades from RU6 MP2 to MP3.

Killed remotely the processes COH32.exe (all where on 32-bit XP SP3):

C:\Users\username>pskill -t \\host-1089 COH32.exe

PsKill v1.13 - Terminates processes on local or remote systems
Copyright (C) 1999-2009  Mark Russinovich
Sysinternals - www.sysinternals.com

33 processes named COH32.exe killed on host-1089.

After that the setup process (msiexec.exe) CPU usage growed and it finished installing the update presumably, with the SEP-icon reappearing in the tray. Used pslist -s \\hostname for that.

That solved the problem for me.

(Now I'm calming down the users to wait for a while for the Rtvscan.exe to finish the postinstall scan, lol).  

I believe this may be a different issue... I only ever see 2 instances of COH32.exe or COH64.exe running at any one time - and only if the box to scan new processes immediately is ticked.

I've observed this running:

RU6 MP2

RU6 MP3

RU7 Beta

On:

Windows XP 32bit

Windows 7 32bit

Windows 7 64bit

The two running processes will terminated to be replaced by two more, etc, etc, this is stil with support.

Hi,

Upgrade to RU7 MP1.

COH32.exe consumes high CPU and high memory

Fix ID: 2247120

Symptom: The process COH32.exe consumes high CPU and 500 MB+ of memory every hour.  By default, COH (part of Proactive Threat Protection) scans every hour and some CPU and memory usage is normal.  In some environments the COH process may consume excessively high CPU and memory.

Solution: COH32.exe was modified prevent a scenario where the scanner incorrectly identified too many processes to scan.

If you have been considering moving to 12.1 COH32/64.exe are no longer used. If not, RU7 MP1 has a Fix ID regarding COH as Chetan pointed out.