Data Loss Prevention

 View Only
Back to discussions
Expand all | Collapse all

High CPU with edpa.exe

  • 1.  High CPU with edpa.exe

    Posted May 12, 2010 03:33 PM

    Hello Folks,

    I have a user that is complaining that every morning when he boots up, edpa is taking up 50% of his CPU and he has to kill it to get it to settle down.  there is only one person with this issue although my implementation is still in the testing phase with about 35 clients installed.  I found a system event error from Windows that might have some bearing on the issue:

    Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date:  5/12/2010
Time:  9:03:54 AM
User:  N/A
Computer: 
Description:
The EDPA service terminated unexpectedly.  It has done this 8 time(s).
     

    Does anyone have any thoughts as to what might be going on?  We use SEP and as far as I know I have all the proper exclusions.

    Thanks in advance!


  • 2.  RE: High CPU with edpa.exe

    Posted May 13, 2010 12:28 PM
    How have you deployed the clients?
    I would suggest that you reinstall the client, I have not encountered this issue before.
    since its only one agent i can assume its a local issue. if you can please provide a list of applications installed on the clients computer, as it might give a hint as of the reason edpa.exe consumes a lot of memory.
    Kind Regards,
    Naor Penso


  • 3.  RE: High CPU with edpa.exe

    Posted May 14, 2010 04:02 PM
    Thanks for the response Naor.

    The clients were deployed with Altiris as a simple package pointing to the Endpoint server.

    I've asked that this particular client be re-installed at your suggestion.  We'll see how it goes.


  • 4.  RE: High CPU with edpa.exe

    Posted May 21, 2010 11:25 AM
    I've had this user get a re-install of DLP and it seems to be better but still not fully resolved.  What I found out is that his laptop is coming out of hibernation when this issue occurs.  Does this sound familiar to anyone?


  • 5.  RE: High CPU with edpa.exe

    Posted May 23, 2010 09:55 AM
    This issue might happen because the DLP Agent is trying to scan the hibernation file which is a very large file and it takes  time.
    What I would recommend is that you exclude the hibernation file from scanning within the DLP Enforce console.
    If you need guidance in this operation write it down here and i will guide you through the operation.
    Kind Regards,
    Naor Penso


  • 6.  RE: High CPU with edpa.exe

    Posted May 24, 2010 02:12 PM
    I would appreciate your help guiding me through that process.

    Thanks!

    Nevermind, I found it!  Thanks anyway.


  • 7.  RE: High CPU with edpa.exe

    Posted Jun 09, 2010 10:42 AM
    Have a 15 plus laptop group testing SDLP endpoint agent v10 on two different windows XP sp3 images. One running trend micro and the other running Mcafee AV. There are no issues on the Trend image. But there are a couple on the Mcafee image. The other thing is that hiberfil.sys is a local file. And we are not scanning local files with the SDLP agent. Only as data attempts to exit the laptops. file and directory exclusions have been verified on the trend image. I am waiting to hear about the Mcafee image at the moment.


  • 8.  RE: High CPU with edpa.exe

    Posted Jun 09, 2010 10:54 AM
    Turns out the same av exclusions are not in place on the Mcafee imaged laptops. This might be the issue after all. For us. We will see once they get updated. For now the questions goes back to the original poster...1) Are you scanning the "Local Drive" by default in the agent scanning settings? 2) Do you have the SDLP agent exclusion settings set up in your AV application? 3) did adding hiberfil.sys as an excluded file type help you out?


  • 9.  RE: High CPU with edpa.exe

    Posted Jun 17, 2010 08:44 AM
    1) We do scan local drives
    2) We use SEP and yes, we exclude the DLP stuff
    3 Yes, it seems that excluding the hiberfile.sys helped out.


  • 10.  RE: High CPU with edpa.exe

    Posted Jun 17, 2010 10:05 AM
    Scanning local drives is the problem. I ran into this in our dev environment when I turned on the scanning of local drives. It makes sense too if you think about all of the I/O activity that occurs on the local drive. I would recommend some filters to minimize what it's actually looking for. Also, the number and type of policies may contribute to this problem as well. We had a generic password regex that was contributing to the issue because of all of the FP's it was creating.


  • 11.  RE: High CPU with edpa.exe

    Posted Jun 20, 2010 07:29 AM
    You could throttle the Endpoint Discover scanning. Check the server settings under -> "Endpoint_Server"->Configure->Agent Configuration
    Kind Regards
    Naor Penso


  • 12.  RE: High CPU with edpa.exe

    Posted Jul 23, 2010 09:26 PM
    Hi. I've gotten something called edypea.exe on my computer but google is not able to find any reference to this virus at all. The only thing it can find reference to is edpa.exe. Has anyone ever heard of this edypea.exe? It is a resource hog using over 200Megsof Ram and  am completely inthe dark as to what it does.


  • 13.  RE: High CPU with edpa.exe

    Posted Jul 24, 2010 05:28 PM
    edpa.exe and wdp.exe are Symantec DLP processes. Edypea.exe is not a part of Symantec DLP, and i would check the lead of a virus infection. Try using Process Explorer to track down the folder that this file lies in and you might find what you are after.

    Kind Regards,
    Naor Penso