Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

High CPU Utilisation (LUALL.EXE and LUCALLBACKPROXY.EXE)

Created: 17 Jun 2010 | 29 comments

I observe an abnormally high CPU utilisation against the processes Luall.exe and LuCallbackProxy.exe. At the outset, I was thinking the latter to be a virus. Then a quick search revealed that it is Live Updation helper.

Any help regarding the High CPU utilisation?

Comments 29 CommentsJump to latest comment

P_K_'s picture

Is it happening on the SEPM or on the SEP client?

What is the version of SEP installed?

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

akoulintchenko's picture

I have also observed an abnormally high CPU utilization by LuCallbackProxy.exe process on one of my Windows 2003 servers, which has SEP client installed (v. 11.0.5002.333; Antivirus and Anyspyware Protection only). After a while (±30 mins), the situation seem to have corrected itself (and LuCallbackProxy.exe process was nowhere to be found). LiveUpdate glitch of some kind?

Vikram Kumar-SAV to SEP's picture

Both these processes Launch the Liveupdate is trying download the definitions.Where are you seeing this on the server or on your machine ?
By default you should see this every 4 hours however you can schedule that.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Min Qiu's picture

Are processes always high utilization or just flash? When does it occur? manually run LU or LU runs by itself schedule?

Minucci's picture

Hello, I am also having a similar problem. But the processes are LUALL.EXE, LUCOMS~1.EXE, LUCALLBACKPROXY.EXE. Those processes come every 10 or 15 minutes all day long, consuming up to 30% of my CPU. LUCALLBACKPROXY.EXE opens up to 8 processes. After about 5 or 10 minutes they all terminate. Do you have any ideas? Thank you in advance.

SEP liveupdate problem.jpg
VSK's picture

Could you  please upgrade  to RU6 MP1, now  that  it is available.....
You can get  it  from https://fileconnect.symantec.com

-VSK

Minucci's picture

Hello Vishal, I will have to wait until the release of the portuguese version then. It will happen the 30th of august right? Any other possibilities? I have attached an image of task manager up there. Thank you again.

VSK's picture

@ Minucci...

What is your liveupdate  schedule? Is the liveupdate  working?

-VSK

Minucci's picture

The default of 4 hours. Yes, liveupdate is working. This is the SEP Manager also. Do you think I should move the SEPM to another server and uninstall?

VSK's picture

No. Uninstalling, and installing on a different server, is the last resort. Not now ;-)

Are there any other Symantec products insatlled on this server? Those could also be launching liveupdate/.......

-VSK

Minucci's picture

Alright! There are just the SEP client and the manager. I already uninstalled and reinstalled liveupdate according to this: http://service1.symantec.com/SUPPORT/ent-security..... I thought there could be more than one LU "scheduled tasks", but nope. Anything else I could say to help? Thanks.

VSK's picture

01:40:31 GMT -> The command line is -S -temphostex "C:\Program Files\Symantec\Symantec Endpoint Protection\ContentCache\{C25CEA47-63E5-447b-8D95-C79CAE13FF79}\80929016" -M{C25CEA47-63E5-447b-8D95-C79CAE13FF79} -updateoptout=yes

26/8/2010, 01:40:31 GMT -> ***** This LiveUpdate session is running in TempHostEx mode. *****

26/8/2010, 01:40:31 GMT -> TempHostEx moniker is {C25CEA47-63E5-447B-8D95-C79CAE13FF79

}

Each liveupdate session begins with the above  lines, which is not normal....

Kindly stop all symantec services, and then delete the contents  of C:\Program Files\Symantec\Symantec Endpoint Protection\ContentCache\.

Start the services, and then let  me  know  how  it  goes....

-VSK

Minucci's picture

Did it. As I stopped the services I noticed this one: "Symantec Auto-upgrade Agent - Automatically updates Symantec client security software.". It was not started and was set to Manual. The thing is this service does not exist in another machine which I used to compare the Symantec services status. Do you think I should disable it? Well, waited a little after restarting the services and they are all back. 6 instances of LUCALLBACKPROXY.EXE as usual.

Bijay.Swain's picture

I was facing this same problem on some clients so uninstalled Live update as I don't require it because my clients are updated via sepm with push method. and clients are not allowed to lunch liveupdate.

now the clients are running fine and also getting updates from sepm daily.

Try this as it may help you also.

VSK's picture

Could you please uninstall the  SEP client, and then see, if this  still happens...with just  SEPM installed?

-VSK

Minucci's picture

Hello again. It has been about 2 or 3 hours since SEP client was uninstalled. It seems LU is gone. My last alternative is to uninstall LU then. And now, how should I install the client? I will have to restart the server at least once before reinstalling as requested by uninstall program. Thank you.

VSK's picture

Please install the  client again without the proactive threat protection feature ( that is not  compatible with server OS)...

-VSK

Minucci's picture

In my 4 servers, proactive threat protection is automatically disabled. How should I install without this feature? Should I export a package and configure it somewhere? Should I choose this option during installation?

VSK's picture

Go to Admin-Install  packages, and add a custom install feature set, that  does  not have   PTP. Then export the package using  this  custom feature set..

-VSK

Minucci's picture

Alright, but I have 3 options and none seems to be correct. Only antivirus and anti-spyware which lacks network threat protection and proactive threat protection, then only network threat protection, which lacks antivirus and antispyware and proactive threat protection, and the last one, antivirus, antispyware and proactive threat protection, which lacks network threat protection. The best one seems to be only antivirus and antispyware, but then there´s a security hole withou network threat protection, right? Which should I choose? Thank you.

VSK's picture

You  have to  add a client  install  feature  wset, and  select  NTP, and  AV/AS. please  see  attached:

feature.JPG

-VSK

Minucci's picture

Well, as soons as I installed and restarted, the 8 instances of lucallbackproxy.exe were back, together with luall.exe and lucoms~1.exe taking 20 to 30% of cpu. But there are about 30 minutes they are gone. Before this they would appear every 10 or 15 minutes. I will watch them longer and come back to you. If the 8 instances of lucallbackproxy.exe is something normal, then it looks like the problem might be gone right? I will come back to you in about 2 or 3 hours. Thank you.

VSK's picture

Yes, 8 instances of lucallbackproxy is normal.........

-VSK

Minucci's picture

Hello again Vishal. First I would like to thank you so much for your time and patience. It seems to be alright now. Just a last question, I have a twin server with the full SEP client installed. That server does not have any problem. The, in case I need the device control feature I will probably face the same problems, right? Would there be another solution with that feature enabled? Thank you once again for your time.

VSK's picture

I think you could re-install the  Truscan ptp, with application and device control, and verify does the  same  issue happen again. Ideally it should not. We just needed to uninstall, and re-install the sep client once.

-VSK

Hurricane Andrew's picture

Live update regularly caused issues on our SEPM server, and actually caused the server to peg itself at 100% CPU usage for literally hours at a time.  The only fix I was able to conjure up was to use a program called Prio Process Saver http://prnwatch.com/prio.html to limit the CPU usage of LuCommServer_3_4.exe to 50% CPU usage.  Since this change, not a single server lockup, and Live Update continues to function properly and maintain the server and clients with up to date definitions.

"Hurricane" Andrew

Felton, Delaware