Endpoint Protection

 View Only

  • 1.  SEPM CPU 100% 11.0.5.333

    Posted Jan 18, 2010 12:46 PM
    SEPM CPU on 1/10/2010 went from 40% avg to 100%.  The process is half the dbsrv and half the SEPM service.   If I stop the SEPM service, and not the database, the CPU drops to near 0%.   40% had been usual for quite some time.

    I have ran the db analysis tool, db is fine. I purged out the database, and made the web request to force the rollover.  I have used the db tool to shrink the database.   It dropped from 4GB to 700MB, but no change in CPU use.

    OS is Windows 2008 64BIT. I have the 2010 pattern file issue patch on this server.   There is a site replica, and it's CPU use is about 10-15% avg.

    The logs show some patch running over and over and over, erroring out with "Failed to create a folder to which to publish the package."   If I dig into it, some patch is running and trying to create a folder for a SAV product which I have never had.   Everything else skips fine, just this one SAV product does not.

    I'm asking here and not calling tech support as I have an outstanding support case from last week which took 3 hours to get opened, from which I have yet to hear back from support on.  I don't suspect calling will be of any use.  ( I am current on my support. )

    Any tips on how to get the CPU use back to normal?  


  • 2.  RE: SEPM CPU 100% 11.0.5.333

    Posted Jan 18, 2010 12:48 PM
    open the conf.properties file and try this

    https://www-secure.symantec.com/connect/articles/things-you-can-do-confpropeties-file-and-serverxml-file-sepm

    cutting down the CPU usage for SEMSRV.exe
    _______________________________________________________________________
    When new defs are downloaded or during data purge Symantec manager process uses lot of CPU, you can limit the CPU usage by adding this line
    scm.delta.cpu.usage=0.5
    Decimal number between 0 and 1, where 1 represents 100% usage and 0.5 represents 50% usage.
     
    Symantec Document:http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216360648
     


  • 3.  RE: SEPM CPU 100% 11.0.5.333

    Posted Jan 18, 2010 04:28 PM
    That's not it.  I tried .1 to be 10% and it's still running 100%, so it's not that function causing it.    I have turned on logging to warning, so far I am not seeing anything.   The only thing that stands out is one of the logs says the database is 10.0.3, but that might be normal.   I don't know.




  • 4.  RE: SEPM CPU 100% 11.0.5.333

    Posted Jan 18, 2010 04:49 PM
     Do you have reporting for SAV to SEPM turned ON ?

    Do you have permission on 
    Authenticated Users, Administrators, System and Users.

    \Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\ClientPackages

    and
     Remove older packages assigned to client groups for automatic Upgrade


  • 5.  RE: SEPM CPU 100% 11.0.5.333

    Posted Jan 19, 2010 12:22 PM
    This shows up in the log repeatedly too.   It shows up in SEPM and then disappears

     The binary file[5FD4C2B2C52AC7CB8591454F941A22F8] referred at the physical file[170F16BD7F7C09E448967BCF346E04A7], which is referred at the software package[4209DCACED66213A52DB822FCD5D1C80,Symantec Endpoint Protection (version 11.0.4000.0) for WIN32BIT],

    11.0.4000.0 was deleted from the server a long time ago.




  • 6.  RE: SEPM CPU 100% 11.0.5.333

    Posted Jan 19, 2010 12:40 PM
    \Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\ClientPackages does not exist, so there is no authority over it.

    \Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\ClientPackages has default permissions.  This is a dedicated server.  It's however SEPM installer set it up.    Creator Owner is there for recording creator, System is full, Administrators is full,  users is read execute/list/read, trustedinstaller is list folder contents.

    I have removed older packages already, as I can.   I have an 11.0.4 and the latest 11.0.5.333.  11.0.5.333  Assigned to groups that might have PC's appear with the older version.

    Upload Symantec AntiVirus version 10.x log files has always been disabled.  I have never had any 10 clients.

    Hope that is of use, as I'm not sure where to go next.  I'm planning on just restoring the entire server from a backup before this happened if I can't figure this out.






  • 7.  RE: SEPM CPU 100% 11.0.5.333

    Posted Jan 20, 2010 01:36 PM
    I ended up doing a system restore of the server.

    The CPU is now back to normal.

    Something that was interesting is that while I have a site replica server which has all the policies and settings just as this server does, the settings changed from 1/10 to today did not replicate back to this server after it was restored.

    I did tell the server to replicate, and I waited a long time.

    I would have suspected the policies to replicate from the other server.

    I still get the binary file error over and over.






  • 8.  RE: SEPM CPU 100% 11.0.5.333

    Posted Jan 20, 2010 05:47 PM
    Ah, I guess the UPN on the database prevents the restored replica from replicating.  The fix is here;

    http://service1.symantec.com/support/ent-security.nsf/docid/2009012006175748?Open&seg=ent