Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

High CPU with edpa.exe

Created: 12 May 2010 | 12 comments

Hello Folks,

I have a user that is complaining that every morning when he boots up, edpa is taking up 50% of his CPU and he has to kill it to get it to settle down.  there is only one person with this issue although my implementation is still in the testing phase with about 35 clients installed.  I found a system event error from Windows that might have some bearing on the issue:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date:  5/12/2010
Time:  9:03:54 AM
User:  N/A
Computer: 
Description:
The EDPA service terminated unexpectedly.  It has done this 8 time(s).

 


Does anyone have any thoughts as to what might be going on?  We use SEP and as far as I know I have all the proper exclusions.

Thanks in advance!

Discussion Filed Under:

Comments 12 CommentsJump to latest comment

Naor Penso's picture

How have you deployed the clients?
I would suggest that you reinstall the client, I have not encountered this issue before.
since its only one agent i can assume its a local issue. if you can please provide a list of applications installed on the clients computer, as it might give a hint as of the reason edpa.exe consumes a lot of memory.
Kind Regards,
Naor Penso

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

BNoren's picture

Thanks for the response Naor.

The clients were deployed with Altiris as a simple package pointing to the Endpoint server.

I've asked that this particular client be re-installed at your suggestion.  We'll see how it goes.

BNoren's picture

I've had this user get a re-install of DLP and it seems to be better but still not fully resolved.  What I found out is that his laptop is coming out of hibernation when this issue occurs.  Does this sound familiar to anyone?

Naor Penso's picture

This issue might happen because the DLP Agent is trying to scan the hibernation file which is a very large file and it takes  time.
What I would recommend is that you exclude the hibernation file from scanning within the DLP Enforce console.
If you need guidance in this operation write it down here and i will guide you through the operation.
Kind Regards,
Naor Penso

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

BNoren's picture

I would appreciate your help guiding me through that process.

Thanks!

Nevermind, I found it!  Thanks anyway.

sergtech's picture

Have a 15 plus laptop group testing SDLP endpoint agent v10 on two different windows XP sp3 images. One running trend micro and the other running Mcafee AV. There are no issues on the Trend image. But there are a couple on the Mcafee image. The other thing is that hiberfil.sys is a local file. And we are not scanning local files with the SDLP agent. Only as data attempts to exit the laptops. file and directory exclusions have been verified on the trend image. I am waiting to hear about the Mcafee image at the moment.

sergtech's picture

Turns out the same av exclusions are not in place on the Mcafee imaged laptops. This might be the issue after all. For us. We will see once they get updated. For now the questions goes back to the original poster...1) Are you scanning the "Local Drive" by default in the agent scanning settings? 2) Do you have the SDLP agent exclusion settings set up in your AV application? 3) did adding hiberfil.sys as an excluded file type help you out?

BNoren's picture

1) We do scan local drives
2) We use SEP and yes, we exclude the DLP stuff
3 Yes, it seems that excluding the hiberfile.sys helped out.

jandrusk's picture

Scanning local drives is the problem. I ran into this in our dev environment when I turned on the scanning of local drives. It makes sense too if you think about all of the I/O activity that occurs on the local drive. I would recommend some filters to minimize what it's actually looking for. Also, the number and type of policies may contribute to this problem as well. We had a generic password regex that was contributing to the issue because of all of the FP's it was creating.

Naor Penso's picture

You could throttle the Endpoint Discover scanning. Check the server settings under -> "Endpoint_Server"->Configure->Agent Configuration
Kind Regards
Naor Penso

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

Zethar's picture

Hi. I've gotten something called edypea.exe on my computer but google is not able to find any reference to this virus at all. The only thing it can find reference to is edpa.exe. Has anyone ever heard of this edypea.exe? It is a resource hog using over 200Megsof Ram and  am completely inthe dark as to what it does.

Naor Penso's picture

edpa.exe and wdp.exe are Symantec DLP processes. Edypea.exe is not a part of Symantec DLP, and i would check the lead of a virus infection. Try using Process Explorer to track down the folder that this file lies in and you might find what you are after.

Kind Regards,
Naor Penso

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)