Skip to content
  • There are no suggestions because the search field is empty.

11.7 Agent consuming CPU and memory on Windows Machines

Issue

After installing the 11.7 agent, one might see the CPU and memory increment over time. The time range could be several hours to days depending on how much workload is on the client machine. This issue effects various Windows versions. It is more manifest on systems that run intensive network-based applications. (Machines used to collect SNMP traps, or other type of monitoring host.) This behavior will manifest even when the NW 11.7 agent is whitelisted by various 3rd party anti-virus or other malware detection products.

Cause

NetWitness Engineering has determined the reason for this issue is due to introduction of Suspicious Thread Monitoring in the 11.7 Agent.


Workaround



There are two work-rounds. First one is to switch from Advanced to Insight Mode. The 2nd workaround involves disabling the Suspicious Thread monitor with the below code that is added to Endpoint Agent Policy in the Advanced Configuration box.
(UI -> admin -> Endpoint Sources -> Policies -> Available Settings -> Advanced Configuration). 

{
"trackingConfig": {
        "sentinelConfigOverride": true,
        "sentinelConfigValue":891
        }
}


It is advisable to create a new group with 11.7 agents only, assign a new policy with the override added.
From observation in the field, the CPU will still remain high until the client machine is rebooted.

Resolution

At the time of this KB article being published, there is no date on when a patch will be released. The reason is that Engineering will need to consult with Microsoft, for extensive testing. (very difficult to reproduce in the lab) and once the fix is in the code, the driver portion of the agent has been signed by Microsoft.

Notes

Please note that once hotfix has been released, this KB article will be no longer valid.

Internal Comments

KB article created on Dec 30, 2021


Product Details

RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Endpoint Advanced Agent
RSA Version/Condition: 11.7.0.0
Platform: Windows

Summary

11.7 agent causing high CPU usage.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue