How to limit CPU consumption during an on-demand scan
Technical Articles ID:
KB92346
Last Modified: 2023-03-15 10:39:04 Etc/GMT
Last Modified: 2023-03-15 10:39:04 Etc/GMT
Environment
Endpoint Security for Linux Threat Prevention (ENSLTP) 10.6.x and later
Summary
Starting from ENSLTP 10.6.0, on-demand scanning supports CPU limitation. You can limit the CPU cycles between 25% and 100% during an on-demand scan (ODS) task.
The Linux kernel implemented CPU limitation from kernel version 2.6.24 onward. CPU limitation doesn't work with any distribution using kernel versions earlier than 2.6.24.
To verify the Linux kernel version, use the command below:
root@UBUNTU-ENSL:~# uname -r .
CPU limitation supports only default mounts provided bycgroup internally.
You can measure whether the CPU limit is applied by reviewing the output of the top command. For example, when you specify a CPU limit of 40% for an ODS task, it means that for a two-core system, you're providing a bandwidth of 40% and an overall CPU usage availability of 200%. So, the top command shows the CPU usage for the ODS task going up to 80%; it also shows the CPU usage for each core separately.
To verify how many CPUs are configured, use the command below:
root@UBUNTU-ENSL:~# echo "CPU threads: $(grep -c processor /proc/cpuinfo)" .
When troubleshooting CPU limit-related issues, review the following log files:
The Linux kernel implemented CPU limitation from kernel version 2.6.24 onward. CPU limitation doesn't work with any distribution using kernel versions earlier than 2.6.24.
To verify the Linux kernel version, use the command below:
CPU limitation supports only default mounts provided by
You can measure whether the CPU limit is applied by reviewing the output of the top command. For example, when you specify a CPU limit of 40% for an ODS task, it means that for a two-core system, you're providing a bandwidth of 40% and an overall CPU usage availability of 200%. So, the top command shows the CPU usage for the ODS task going up to 80%; it also shows the CPU usage for each core separately.
To verify how many CPUs are configured, use the command below:
When troubleshooting CPU limit-related issues, review the following log files:
/var/McAfee/ens/log/tp/mfetpd.log - Look for errors that might indicatecgroup- related issues./opt/isec/ens/threatprevention/var/odsreport/ - This directory contains the ODS logs with the task name listed.
Problem
An ODS task consumes high CPU.
Solution 1
To limit CPU consumption using the CLI (Linux Terminal), perform the steps below:
- Log on to the Linux Terminal with root user access.
- Navigate to
/opt/McAfee/ens/tp/bin/ (10.6.6 or later, including 10.7.x) or/opt/isec/ens/threatprevention/bin (10.6.5 or earlier). - Add the ODS task using the following command. Only values between 25 and 100 are allowed for the CPU limit.
For version 10.6.6 or later, including 10.7.x:./mfetpcli --addodstask --name <name>--scanpath <path>--setmaxcpulimit
For version 10.6.5 or earlier:./isecav --addodstask --name <name>--scanpath <path>--setmaxcpulimit <CPU limit between 25% and 100%>
Example:
./mfetpcli --addodstask --name ADDCPULIMIT-ODSTask --scanpath / --setmaxcpulimit 25
ODS Task was successfully added
- Confirm that the task is successfully added:
For version 10.6.6 or later, including 10.7.x:./mfetpcli --listtasks
For version 10.6.5 or earlier:./isecav --listtasks --------------------------------------------------------------------------------------------------------------- |Index Task Name Task Type Task Status Last Run --------------------------------------------------------------------------------------------------------------- |1 quick scan ODS Completed Wed Jan 22 00:0 |2 full scan ODS Completed Mon Jan 20 00:0 |3 Default Client Update task DAT and Engine Update Completed Wed Jan 22 00:1 |4 ADDCPULIMIT-ODSTask ODS Not Started Not Applicable - Start the task:
For version 10.6.6 or later, including 10.7.x:./mfetpcli --runtask --index 4
For version 10.6.5 or earlier:./isecav --runtask --index 4
Task was successfully started
- Verify the status of the task:
For version 10.6.6 or later, including 10.7.x:./mfetpcli --listtasks
For version 10.6.5 or earlier:./isecav --listtasks --------------------------------------------------------------------------------------------------------------- |Index Task Name Task Type Task Status Last Run --------------------------------------------------------------------------------------------------------------- |1 quick scan ODS Completed Wed Jan 22 00:0 |2 full scan ODS Completed Mon Jan 20 00:0 |3 Default Client Update task DAT and Engine Update Completed Wed Jan 22 00:1 |4 ADDCPULIMIT-ODSTask ODS Running Wed Jan 22 19:0 --------------------------------------------------------------------------------------------------------------- - Validate the CPU limit. Run the
top command when the ODS task is running:
top - 19:11:08 up 123 days, 7:13, 2 users, load average: 1.76, 0.59, 0.34 top - 19:12:21 up 123 days, 7:14, 2 users, load average: 1.33, 0.65, 0.38 Tasks: 192 total, 1 running, 109 sleeping, 0 stopped, 0 zombie %Cpu(s): 25.3 us, 1.7 sy, 0.0 ni, 72.8 id, 0.0 wa, 0.0 hi, 0.2 si, 0.0 st KiB Mem : 4040060 total, 181436 free, 688572 used, 3170052 buff/cache KiB Swap: 2097148 total, 2097148 free, 0 used. 3060852 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 9143 root 20 0 1589996 354116 16620 S 49.0 8.8 1:27.76 ODS Manager 29098 root 20 0 1449768 75432 34380 S 6.3 1.9 19:44.25 isectpd 9165 root 20 0 42020 3860 3192 R 0.7 0.1 0:00.34 top 9159 root 20 0 1514860 138304 12396 S 0.3 3.4 0:00.78 ODS Collector 1 root 20 0 78132 9368 6732 S 0.0 0.2 1:12.73 systemd
Solution 2
To limit CPU consumption using ePolicy Orchestrator (ePO), perform the steps below:
- Log on to the ePO console.
- Navigate to the Extension page. Make sure that the extension for ENSL 10.6.0 (or later) is checked in and is in a running state.
- Navigate to the Client Task Catalog, and under Endpoint Security Threat Prevention, create a new ODS custom task.
- Name the ODS task. In this example, we name the task
ADD CPU-LIMIT USING EPO - 25 . - Deselect the options for Windows only. These options aren't applicable to Linux systems.
- Go to the Scan Locations column and select File or Folder from the Specify Locations drop-down list. In the Location field, type the path that you want to scan. In this example, we specify
/ to scan everything on the Linux system. - Select the Scan Anytime option in the Scheduled Scan Options column.
- Go to the performance section and select Limit CPU Usage. This option is available only when Scan Anytime is selected.
- Specify the CPU limit in the Percentage field; only values between 25 and 100 are allowed. The default value is 80%. In this example, we specify 25%.
- Select other options for the on-demand scan task as needed and save the task.
2020-01-22 18:34:06.830 (10171.10171) policy.Info: Enforcing Policies for EPOAGENT3000
2020-01-22 18:34:06.830 (10171.10171) policy.Info: Agent finished Enforcing policies
2020-01-22 18:34:06.830 (10171.10171) ioservice.Info: IO service received the message.
2020-01-22 18:34:06.831 (10171.10171) ioservice.Info: IO service received the message.
2020-01-22 18:34:06.985 (10171.10171) ioservice.Info: IO service received the message.
2020-01-22 18:34:07.048 (10171.10171) scheduler.Info: Next time(local) of task ADD CPU-LIMIT USING EPO - 25: 2020-01-22 18:34:10
2020-01-22 18:34:08.725 (10171.10171) ioservice.Info: IO service received the message.
2020-01-22 18:34:10.020 (10171.10171) scheduler.Info: Scheduler: Invoking task [ADD CPU-LIMIT USING EPO - 25]...
2020-01-22 18:34:10.020 (10171.10171) scheduler.Info: The task ADD CPU-LIMIT USING EPO - 25 becomes active
/var/McAfee/agent/logs/masvc_systemname.log:2020-01-22 18:34:10.020 (10171.10171) scheduler.Info: Scheduler: Invoking task [ADD CPU-LIMIT USING EPO - 25]...
/var/McAfee/agent/logs/masvc_systemname.log:2020-01-22 18:34:10.020 (10171.10171) scheduler.Info: The task ADD CPU-LIMIT USING EPO - 25 becomes active
To validate the CPU limit, run the
top - 20:03:00 up 123 days, 8:05, 2 users, load average: 1.15, 0.26, 0.09 Tasks: 191 total, 1 running, 109 sleeping, 0 stopped, 0 zombie %Cpu(s): 29.1 us, 1.7 sy, 0.0 ni, 69.2 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st KiB Mem : 4040060 total, 169044 free, 678440 used, 3192576 buff/cache KiB Swap: 2097148 total, 2097148 free, 0 used. 3070984 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 9187 root 20 0 1590032 351824 15832 S 49.5 8.7 0:05.62 ODS Manager 29098 root 20 0 1449836 75396 34380 S 13.6 1.9 20:29.97 isectpd 1 root 20 0 78132 9368 6732 S 0.0 0.2 1:12.75 systemd 2 root 20 0 0 0 0 S 0.0 0.0 0:01.02 kthreadd
Affected Products
Languages:
This article is available in the following languages:
