This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Frank_Aguilieri
Participant
‎2022-01-12 05:29 AM
Jump to solution

High CPU Consuming on Endpoint Security on Windows Server

Hello,

 

 

We have some Windows Server 2016 scenarios with high CPU usage by EndPoint Forensic Recorder service. Apparently this only happens on servers that have more simultaneous connections or more network traffic.

EPS.png

Endpoint version 86.10

Can someone help me?

 

Thanks

 
 
 
 
 

 

1 Solution

Accepted Solutions
rmsource_dotcom
Participant
‎2022-05-24 01:26 PM
Jump to solution

We had the exact same symptoms with one of our clients. The underlying issue was due to a network ACL blocking traffic. We initially found logs that indicated an issue with Forensics data not being uploaded. This pointed us towards checking connections from the CPHE clients with the Connectivity Tool ("C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Common\bin\CheckConnectivity.exe"). After seeing multiple fails we had our Network team whitelist the proper domains based off SK116590.

After adding the domains we no longer see CPU performance issues from the "Endpoint Forensic Recorder service". Hope this helps at least one person.

View solution in original post

27 Replies
G_W_Albrecht
Legend Legend
Legend
‎2022-01-13 03:19 AM
Jump to solution

Better contact CP TAC to discover the reason for this behaviour !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Frank_Aguilieri
Participant
‎2022-01-18 09:04 AM
In response to G_W_Albrecht
Jump to solution

Thanks  G_W_Albrecht

0 Kudos
the_rock
Legend
Legend
‎2022-01-18 09:30 AM
Jump to solution

I use E86.20 and had not seen this issue. Are you using just vpn endpoint or sandblast suite (harmony endpoint)?

Andy

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-05-09 01:53 AM
In response to the_rock
Jump to solution

This is EFRService.exe - Forensics Recorder, part of SandBlast...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-05-09 02:59 AM
In response to G_W_Albrecht
Jump to solution

In such cases we have sk178706 in particular for Exchange Servers...

CCSM R77/R80/ELITE
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-05-09 03:15 AM
In response to Chris_Atkinson
Jump to solution

Please provide a link - sk178706 is not found...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-05-09 04:26 AM
In response to Chris_Atkinson
Jump to solution

Thanx - looks good...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
djhornby
Explorer
‎2022-02-10 11:13 PM
Jump to solution

Any update on this as I am seeing the same on some 2019 Servers.

0 Kudos
lucas-ferreira
Contributor
‎2022-02-12 06:18 AM
Jump to solution

Hey guys!

We were facing the same problem. In contact with Check Point's TAC, a developer generated a new EPS.msi where he disabled the Interface, and changed some parameters. Unfortunately he did not provide us with the commands executed to generate this (.msi).

The problem happened on Windows Servers 2012 and 2019, today I have the endpoints installed thanks to this file that the developer generated.

Because it is a Terminal Server (TS). The endpoint analyzed each connection that communicated with TS and ended up increasing the CPU a lot and even crashing to the point where we restarted the server.

CCSA
0 Kudos
rmsource_dotcom
Participant
‎2022-04-25 09:20 AM
Jump to solution

If anyone finds a solution please post as we are seeing same symptoms with a customer with same scenario. Happens everyday multiple times a day for last couple weeks. We have a TAC case open.

Chris_Atkinson
Employee Employee
Employee
‎2022-04-25 04:18 PM
In response to rmsource_dotcom
Jump to solution

Are you running E86.25 or newer?

CCSM R77/R80/ELITE
0 Kudos
Frank_Aguilieri
Participant
‎2022-04-26 10:28 AM
In response to Chris_Atkinson
Jump to solution

Hello Chris,

 

I am running 86.10 and 86.25

0 Kudos
Ruan_Kotze
Advisor
‎2022-05-09 09:22 AM
In response to Frank_Aguilieri
Jump to solution

Might be worthwhile testing version E86.40.  There is a fix for high CPU usage on Windows Servers.

 

 

 

0 Kudos
John_Richards
Contributor
‎2024-03-05 10:12 AM
In response to rmsource_dotcom
Jump to solution

Any luck finding a solution? We had a case open with TAC for 6 months. After much back and forth it seemed to improve somewhat. 3 months later and we are now back to square one (100% cpu on the recorder). We are opening another ticket with TAC today. Server exclusions, latest recommended version and following a number of SK's has not helped. Any ideas appreciated.

0 Kudos
djhornby
Explorer
‎2024-03-05 11:02 PM
In response to John_Richards
Jump to solution

What version are you running?

We were seeing this occasionally on random Machines (PC's & Servers) quick fix was a reboot.

87.31 & 87.51 has been quite stable though.

I'm currently trialling 88.1 & 87.57

0 Kudos
John_Richards
Contributor
‎2024-03-06 07:21 AM
In response to djhornby
Jump to solution

Thanks, we are on the latest "recommended DHS" version. It seems the only solution is to reboot (not a solution) or wait for another upgrade. I think we have tried 7-8 different versions over 6 months. We have reopened a TAC case.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2024-03-06 07:36 AM
In response to John_Richards
Jump to solution

This EFRService issue on MS Servers is ongoing for a long time now. Several customers complained during the last two years, and although R&D is fixing and excluding, the issue still can appear.

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
John_Richards
Contributor
‎2024-03-06 07:39 AM
In response to G_W_Albrecht
Jump to solution

I fully agree and Check Point should either say there is no fix or "fix it". I'll be escalating this high up the chain for a definitive answer.

0 Kudos
Frank_Aguilieri
Participant
‎2024-03-07 11:15 AM
In response to John_Richards
Jump to solution

Hello John,

 

When the TAC answer your ticket please post update for us.

 

Thanks

0 Kudos
asafebelo
Explorer
‎2024-07-02 02:46 PM
In response to John_Richards
Jump to solution

Hey, John.

Did you have a return for this case? I'm have same issue.

0 Kudos
John_Richards
Contributor
‎2024-07-02 04:38 PM
In response to asafebelo
Jump to solution

So this case was closed a while back. First and foremost you need to be on the latest build. At the time we applied E87.31. Below is th original fix from TAC. This may or may not be fixed in newer versions. The developer below is Check Point.

Files.db is a database that the EFRService uses. Normally a purging mechanism keeps the files size down as it shouldn't be even close to the size you saw, but for some reason it isn't working on your systems. The Developer wanted to look at the files size because they were seeing a lot of manipulation from the WPR we collected. There were fixes to how the files.db database is handled in the newer versions of the client, hence why the developer states that upgrading will fix this.

As for disabling self protections, the following steps are the best way:

  • The best way to disable self protections is to do the following:
  • Start an uninstall of the client
  • When it asks for the uninstall password do not enter it and open Task Manager
  • Go to the Details tab and then look for PassDialog.exe
  • Right click on it and choose to open file location
  • Cancel out of the uninstall
  • Open PassDialog.exe and it will ask for the uninstall password, once entered it will disable self protections
  • To reenable self protections you'll need to reboot the machine
the_rock
Legend
Legend
‎2024-07-02 05:15 PM
In response to John_Richards
Jump to solution

Amazing feedback.

Andy

0 Kudos
rmsource_dotcom
Participant
‎2022-05-24 01:26 PM
Jump to solution

We had the exact same symptoms with one of our clients. The underlying issue was due to a network ACL blocking traffic. We initially found logs that indicated an issue with Forensics data not being uploaded. This pointed us towards checking connections from the CPHE clients with the Connectivity Tool ("C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Common\bin\CheckConnectivity.exe"). After seeing multiple fails we had our Network team whitelist the proper domains based off SK116590.

After adding the domains we no longer see CPU performance issues from the "Endpoint Forensic Recorder service". Hope this helps at least one person.

AndrejMajer
Explorer
‎2024-12-19 06:15 AM
Jump to solution

We have same issue in 2024... so where is the fix

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top