High Resource Utilisation

[MacDaddy]

is there anyway to tune resource utilisation? This happens at startup and multiple times a day- i don't have any scans configured and is becoming a bit rediculous.

version 7.0.2.11454

Edited April 23, 2020 by MacDaddy
added detail

[ritchie58]

Hello MacDaddy,

Amp for Endpoints is Immunet's enterprise version but this forum is for Immunet Protect Free only. I would suggest you instead contact the support team for AMP regarding your issue.

Here's a URL where you can contact AMP's support. https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html

Best wishes, Ritchie...

[MacDaddy]

Thanks Richie, as you know Immunet uses the 'Cisco AMP for Endpoints' scanning and detection engine, which is how it appears as the process on a windows system. This is indeed an immunet issue.

Edited April 23, 2020 by MacDaddy

[ritchie58]

OK, I get what you're saying. I have a list of Domains & IP addresses that Immunet can sometimes use but that's a new one for me! Sorry about the confusion!

Instead of a dedicated Windows process (sfc.exe, iptray.exe, cscm.exe & freshclam.exe) this must be a new Domain or IP address that Immunet is using for DNS lookups. Unfortunately the direct IP addresses Immunet connects to aren’t necessarily long lived. They're generally only used in the case of DNS lookups failing continuously.

I would suggest you wait a day or two to see if the issue persists and if it does perhaps some troubleshooting might be called for. Would you be up for something like that?

[Scats]

Hi Macdaddy,

I have been testing Immunet and I have a few questions. 

When do you see the high utilization? Is it when you run scans or opening programs. Do you have any other AVs running that can be conflicting? Any more info will help out

I was also wondering if you have Clam enabled. Clam is resource heavy and for laptops, netbooks and the like it is suggested to turn it off. A few things you can try is to turn Clam off and see if that fixes it. You could also turn off monitor program start, especially for start up since Immunet is checking every program starting including core windows components from what I have noticed. 

What kind of system are you running? I only wonder since the pic shows a lot of ram usage. 

Stay safe,

[Ken Teo]

i face the same issue on my new T495 thinkpad (16gb ram with amd ryzen 5 pro 3500 cpu).

when it hits 100%, usually in the afternoon. my whole system slows down to a crawl. it comes unexpectedly too.

no scans are running, windows defender turned off, and no other anti-malware / AV installed.

[Vince]

Hi,

I also notice this - every single system I install it on, it will use ridiculous amounts of CPU for long periods of time. 

As far as I can see, the history-xxxx files are being read/written to continually causing insane amounts of I/O delay as sfc.exe will have 50+ instances open to the file.

In addition, I notice that sfc.exe will consume 1-2GB of RAM for hours doing whatever it is doing.

It essentially makes Immunet entirely unusable, I'm amazed more people haven't experienced or noticed this and haven't thus complained.

Vince

[ritchie58]

Hi Vince,

Sorry for the delay in responding but I've been dealing with my own issues with Immunet.

I've observed that excessive CPU usage by Immunet is usually caused by the ClamAV module being enabled and a installed software package a user has installed. Are you using any programs that very frequently or constantly write to disk such as a system backup/mirroring or Virtual Machine software? If so, maybe a custom exclusion rule or two could correct this issue for you.

Normally I would recommend, as an experiment, you turn off the Clam AV module to see if that has any beneficial effects. But there is a server issue going on right now that some people (including myself) can't seem to connect properly to the service which means that ETHOS & SPERO cloud lookups are not taking place.

So at the moment if you disabled ClamAV and are one of the folks experiencing this server issue too you could be essentially going without any protection at all with Immunet.

Best wishes, Ritchie...

[zombunny2]

I can't really test properly as I stopped using Immunet a few months back due to its sheer bugginess - can't complain, Immunet's offered gratis, so obviously Cisco can't devote many resources to it... however I did make a fresh install recently to test, and found this exact behaviour. I couldn't trace it, but it does remind me very much of the excessive hard-disk access problem that was so difficult to pin-down it went unfixed for a couple of years, around version 2.0/3.0.

As a bit of background: lots of users at the time reported their hard-disks being thrashed mercilessly, especially after Immunet had performed a full or custom scan. It would bring their computer to its knees, slowing everything to a complete crawl. The only users who didn't notice this problem were the (at the time) lucky few who could afford SSDs, as the increased disk performance was masking the problem. It turned out to be an issue with Immunet constantly updating/changing its history database (I think it's an internal cache of scanned files, so that it doesn't re-scan known clean files). Basically the way Immunet was handling this file was extremely sub-optimal or buggy. So the ironic thing is that performance was being severely reduced by a feature that was supposed to be an efficiency-improver!

From what little I could tell, the current performance issue appears to be in the same area, although it looks as much CPU as disk-related now.

With regards to running Immunet with just the ClamAV module... don't. If cloud-lookups are working, great. If they're not, you're relying solely on a signature-based detection engine with a detection rate of about 20% (own tests, sample of ~200 malware samples, ranging from about 2 years old to the present day, with last ~50-100 being current in-the-wild threats). Use Windows defender until cloud lookups are working again. Or at least complement it with something like OSArmor or Voodooshield.

(Or if you're in the mood to tinker, write a batch file that uses curl (now part of Windows) to fetch the latest Sane Security and SecuriteInfo databases, stops Immunet, copies the files to the ClamAV dir, and restarts Immunet - This will give a static detection rate approaching that of something like Kaspersky, but of course won't have the latter's sophisticated system-watcher/behaviour blocker etc).