When you modify five or more ENS ATP rules, the ATP cache is reset on every policy enforcement. This issue causes higher network traffic to the Global Threat Intelligence (GTI) cloud or Threat Intelligence Exchange (TIE) Server for file reputation requests. On the TIE Server, this issue can also cause a high CPU load.
Steps to verify whether you have this issue:
- Log on to the ePolicy Orchestrator (ePO) console.
- Go to Server Settings.
- Select Adaptive Threat Protection.
- Check whether there are more than four rules denoted with an asterisk. For example: observe* or enable*.
NOTE: The asterisk denotes the rules that have been modified from the default.
From the
AdaptiveThreatProtection_Activity.log:
2022-02-09 09:30:45.782Z |Activity|Orchestrator |mfeatp | 10228| 8980|JTI |jti_native.cpp(687) | Detected JTI configuration change, clearing JCM cache
2022-02-09 09:35:30.326Z |Activity|Orchestrator |mfeatp | 10228| 9628|OES |scan_orchestrator.cpp(1087) | Configuring AAC policy
2022-02-09 09:35:30.342Z |Activity|Orchestrator |mfeatp | 10228| 9628|OES |scan_orchestrator.cpp(1123) | Adaptive Threat Protection is Enabled
2022-02-09 09:35:31.842Z |Activity|Orchestrator |mfeatp | 10228| 9628|JTI |jti_native.cpp(687) | Detected JTI configuration change, clearing JCM cache
2022-02-09 09:36:00.580Z |Activity|Orchestrator |mfeatp | 10228| 3500|JTI |jti_native.cpp(687) | Detected JTI configuration change, clearing JCM cache