High CPU use might occur with our processes on systems where either of the following options is enabled on Firewall rules that generate many events:
- Treat match as intrusion
- Log matching traffic
Examples of such rules include
DENY ALL or
ALLOW ALL, and our processes might include
MFEVTPS.EXE and
MFEESP.EXE.
The Event Viewer for the Windows Application Event Log might show a high number of
Event ID 3xxxx entries for the source
Trellix Endpoint Security. The entries contain details such as the following:
- EventID=35000
An access from <IP_address> matched the rule <firewall_rule_name> and was Allowed.
- EventID=35001
An access from <IP_address> matched the rule <firewall_rule_name> and was Allowed.
- EventID=35002
An access from <IP_address> violated the rule <firewall_rule_name> and was Blocked.
