Endpoint Protection

Running SEP 11.0.5 and even 11.0.6 on Vista 32bit desktop computers. On a few of our machines, the sonar component (COH32.exe) keeps spiking the CPU processes and in some cases takes up 100% of the CPU resources. After 5-10 minutes of waiting, the only way to stop it is by rebooting the computer. 

Any ideas on what could cause this?

 How frequent is the spike ?

COH32.exe related to Proactive Threat Protection.  It is not continous process, it is just start once in while. So you can increas the frequency for PTP  and see if that helps

Our IT guy at that facility is saying that it spikes every 5-10 seconds and will do that numerous times before calming down.

Could you please confirm what is your PTP scan frequency?

It is set to default.

Can you please change the frequency to 4 hours and monitor to confirm if it helps.

Thanks. I will try that and report back if there has been any improvement.

Hi Andy,

Are there any custom-built applications running on those particular Vista machines?  It sounds like PTP is scanning and rescanning a file or application over and over again.  (By default, PTP does not automatically document unknown processes. If it cannot find a reason to whitelist the process or alert on the process, it merely keeps rescanning it.)

Running the Sysinternals tool Process Monitor can reveal what file is consuming the CPU cycles in your instance.  If that file is an application that you have developed yourself and you know it to be safe, I recommend adding it to the list of centralized exceptions. ("Add a Centralized Exception policy" in the SEPM....)

If the file is a .txt or .ini file or something similar, open it up and ensure that it is not corrupt/full of massive amount of repeated or garbage data.  A corrupt file might also cause the behavior you are seeing. Delete or repair the file in question and the CPU spikes will cease.

One of those two answers is almost certainly your cause.  Please keep the forum up-to-date with your progress!

Thanks and best regards,

Mick

The only things installed on the computers are SAP front end components, web gui Active X components for SAP and BCM and Office 2007. They all have the same software but not all of them have this problem.

We can see in the Windows Task Manager that it's the COH32.exe file that's causing the CPU spike and is what hangs some times.

Is there a way to know what file the Sonar component is looking at when the CPU spikes?

Yes... I recommend this tool: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx 

Title: 'COH32.exe utilizes 90-100% CPU usage for extended periods'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009012008215548

sandra

Bringing this one back from the dead....

Sandra, I don't believe that is going to help.

We've got machines that COH32 will spike just by accessing a network drive or when opening a Word/Excel document from a network drive. It also happens when the only thing running on the computer is MS Outlook 2003/2007 (Outlook scanning is turned off, in case you're wondering) open and some of them have .PST files that are network drives.

At which level is the sensitivity for PTP set?

You could try to use Process Monitor as Mick suggested above to see exactly what's happening when this occurs.

sandra