This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dilian_Chernev
Collaborator
‎2017-08-09 12:15 AM
Jump to solution

Strange processes in R80.10 GW

Hi, 

I saw these processes eating my CPU, but didn't have idea what they are doing on the GW:

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
5215 admin 25 0 660 180 144 R 94 0.0 20198:16 /bin/cat /dev/urandom
5216 admin 18 0 1592 432 360 S 4 0.0 778:04.27 /usr/bin/tr -dc a-zA-Z0-9
5217 admin 18 0 1580 432 360 S 3 0.0 414:26.27 /usr/bin/fold -w 32

It seems they are working since from the installation. 

I made clean install of R80.10 GW 9 days ago and patched to Take 15.

Do you have any idea what these processes are doing?

Thanks

1 Solution

Accepted Solutions
Dilian_Chernev
Collaborator
‎2017-08-09 07:56 AM
In response to Timothy_Hall
Jump to solution

Thanks Tim, Andrej

Here is the pstree

It seems that scrubd is responsible for these processes, and scrubd is related to Threat Extraction blade. 

There is sk118353 which describes how to deal with this issue and solves my problem.

 

Thanks to Bogdan Tatomir for sharing resolution in this thread : https://community.checkpoint.com/thread/5144-r8010-threat-extraction-high-cpu-usage 

BR,

Dilian

View solution in original post

4 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2017-08-09 05:27 AM
Jump to solution

Need to see the Parent Process ID (PPID) of those strange processes to help figure out what they are, easiest way is to post output of command "pstree".

Or you can run "ps -ef", the first number shown is Process ID, second number shown is Parent Process ID (PPID).  Once you have PPID of the mysterious process try "ps -ef | grep PPID", then look at the parent process ID of that process, rinse, repeat...

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Andrejs__Андрей
Contributor
‎2017-08-09 06:02 AM
In response to Timothy_Hall
Jump to solution

or use other keys for ps command:

ps axwf -o pid,comm

--

ak.

0 Kudos
Dilian_Chernev
Collaborator
‎2017-08-09 07:56 AM
In response to Timothy_Hall
Jump to solution

Thanks Tim, Andrej

Here is the pstree

It seems that scrubd is responsible for these processes, and scrubd is related to Threat Extraction blade. 

There is sk118353 which describes how to deal with this issue and solves my problem.

 

Thanks to Bogdan Tatomir for sharing resolution in this thread : https://community.checkpoint.com/thread/5144-r8010-threat-extraction-high-cpu-usage 

BR,

Dilian

Andrejs__Андрей
Contributor
‎2017-08-10 04:01 AM
In response to Dilian_Chernev
Jump to solution

Thank You, Dilian!

excellent work!

--

ak.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events