Thanks  G_W_Albrecht

This is EFRService.exe - Forensics Recorder, part of SandBlast...

In such cases we have sk178706 in particular for Exchange Servers...

Please provide a link - sk178706 is not found...

sk178706: Endpoint Security Client policy optimization for Microsoft Exchange Server 

Thanx - looks good...

Are you running E86.25 or newer?

Hello Chris,

I am running 86.10 and 86.25

Might be worthwhile testing version E86.40.  There is a fix for high CPU usage on Windows Servers.

Any luck finding a solution? We had a case open with TAC for 6 months. After much back and forth it seemed to improve somewhat. 3 months later and we are now back to square one (100% cpu on the recorder). We are opening another ticket with TAC today. Server exclusions, latest recommended version and following a number of SK's has not helped. Any ideas appreciated.

What version are you running?

We were seeing this occasionally on random Machines (PC's & Servers) quick fix was a reboot.

87.31 & 87.51 has been quite stable though.

I'm currently trialling 88.1 & 87.57

Thanks, we are on the latest "recommended DHS" version. It seems the only solution is to reboot (not a solution) or wait for another upgrade. I think we have tried 7-8 different versions over 6 months. We have reopened a TAC case.

This EFRService issue on MS Servers is ongoing for a long time now. Several customers complained during the last two years, and although R&D is fixing and excluding, the issue still can appear.

I fully agree and Check Point should either say there is no fix or "fix it". I'll be escalating this high up the chain for a definitive answer.

Hello John,

When the TAC answer your ticket please post update for us.

Thanks

Hey, John.

Did you have a return for this case? I'm have same issue.

So this case was closed a while back. First and foremost you need to be on the latest build. At the time we applied E87.31. Below is th original fix from TAC. This may or may not be fixed in newer versions. The developer below is Check Point.

Files.db is a database that the EFRService uses. Normally a purging mechanism keeps the files size down as it shouldn't be even close to the size you saw, but for some reason it isn't working on your systems. The Developer wanted to look at the files size because they were seeing a lot of manipulation from the WPR we collected. There were fixes to how the files.db database is handled in the newer versions of the client, hence why the developer states that upgrading will fix this.

As for disabling self protections, the following steps are the best way:

• The best way to disable self protections is to do the following:
• Start an uninstall of the client
• When it asks for the uninstall password do not enter it and open Task Manager
• Go to the Details tab and then look for PassDialog.exe
• Right click on it and choose to open file location
• Cancel out of the uninstall
• Open PassDialog.exe and it will ask for the uninstall password, once entered it will disable self protections
• To reenable self protections you'll need to reboot the machine

Amazing feedback.

Andy

What version?

E88.61