Jump to content

Eset server security using 100% CPU


Recommended Posts

Hello,

 

I have a problem, that sometimes Eset services start using up all CPU. I look at the Eset logs and there is nothing written about anything blocked or scanned. Such occurances happen on randoms days. How do I stop, or find out, what is making eset use all the CPU?

Link to comment
Share on other sites

  • Administrators

Please install the Windows ADK (https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install).

When you notice a high CPU utilization by ekrn.exe, enable logging by running the following as an administrator:

wpr -start GeneralProfile -start Minifilter -filemode

After not more than 5 minutes, stop logging by running:
wpr stop EsetPerf.etl

 

Next collect logs with ESET Log Collector and add EsetPerf.etl to to the generated archive. Then upload the archive to a safe location and drop me a private message with a download link.

Link to comment
Share on other sites

Ok, will do.

Also, I don't know if this helps, but once I saw that Eset was using all the CPU, I tried to pause protection, but it gave me a message, that it will not pause, because a threat has just been neutralized.

Link to comment
Share on other sites

  • 1 month later...
  • Administrators
3 hours ago, Privus1 said:

I sent the requested files.

Could you please check if temporarily disabling or uninstalling this sw makes a difference?

CyberarmsIdsService.exe - a part of Cyberarms Intrusion Detection.

Link to comment
Share on other sites

I cannot do that.

 

The reason is that, the service is protecting the server from brute force attacks and automatically bans IPs that guess passwords incorrectly too many times.

 

Another thing, I can't turn it off even for testing, because that would leave the protection off for too long, since the 100% CPU issue happens randomly. It can happen next day or next month. While brute force attacks are happening daily.

Link to comment
Share on other sites

  • Administrators

It may not be needed. Looks like the problem is with generating dumps for a scan upon attack detection which was addressed in the firewall module currently available on the pre-release update channel. Please try switching to it at least for a while to confirm that it resolves the issue. Nevertheless, CyberarmsIdsService.exe was utilizing CPU more than ekrn so you may still notice a higher CPU utilization.

Link to comment
Share on other sites

  • Most Valued Members
2 hours ago, Privus1 said:

I cannot do that.

 

The reason is that, the service is protecting the server from brute force attacks and automatically bans IPs that guess passwords incorrectly too many times.

 

Another thing, I can't turn it off even for testing, because that would leave the protection off for too long, since the 100% CPU issue happens randomly. It can happen next day or next month. While brute force attacks are happening daily.

It's more better to bring a firewall or Windows Firewall to whitelist to certain IPs or a VPN IP to connect from to eliminate all the attacks, If it's not possible to do so , then using a firewall like pfSense , OPNSENSE , Fortinet , Palo-Alto etc... , can help take off the attacks with their intrusion prevention services that would block the attacks on the firewall level not the server level which is making the CPU run more and also might bring your server down , or with bad luck a breach could happen.

Link to comment
Share on other sites

2 hours ago, Nightowl said:

If it's not possible to do so , then using a firewall like pfSense , OPNSENSE , Fortinet , Palo-Alto etc... , can help take off the attacks with their intrusion prevention services that would block the attacks on the firewall level not the server level which is making the CPU run more and also might bring your server down , or with bad luck a breach could happen.

Supplementing the above, you want to block the brute force attacks at the network perimeter using a stand alone dedicated appliance. Not only is this a more effective way in doing so, but it will take the CPU load off of the server that is currently performing this activity.

Ref.: https://www.fortinet.com/products/next-generation-firewall

Edited by itman
Link to comment
Share on other sites

  • 3 weeks later...
On 1/5/2022 at 2:21 PM, Marcos said:

It may not be needed. Looks like the problem is with generating dumps for a scan upon attack detection which was addressed in the firewall module currently available on the pre-release update channel. Please try switching to it at least for a while to confirm that it resolves the issue.

How do I switch to pre-release?

Link to comment
Share on other sites

  • Administrators
1 hour ago, Privus1 said:

How do I switch to pre-release?

You will find this setting in the advanced setup -> update:

image.png

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...