Endpoint Protection

Hey we added about 150 more machines to our SEPM on Saturday and this morning we are experiencing HIGH CPU utilization on the SEPM Server today. The process killing the server is sqlservr.exe. Yesterday (sunday) everything was fine so I guess having some more machines come online this morning is pushing the box. Before I add more memory or processors to the server I wanted to get some feedback from everyone. We are setup in PULL mode at 5 minutes interval. Should I think about increasing that? We have 350 clients connected back to us now and will end up with roughly 500 when completing our rollout. Server is running VMWARE ESX 3.5i with 2 Virtual CPUs assigned to it with 4GB of memory. OS is Windows Server 2008 R2 and SQL 2008.

Our SEPM is virtualized with 4 virtual CPUs and 4GB ram and handles about 5000 clients.  It seems to be doing fine (it is still Svr 2003 and SQL 2005).  I assume the VMWare ESX host is not being taxed for resources by other VMs?  That said, our SQL server and the SEPM server are separate.  Did you install them on the same VM?

The SEPM and SQL are on the same VM. I figured that I would be fine for 500-600 clients in this configuration. Sever is still at 100% now after all clients have been started up for monday morning at 9:00am EST. Occasionaly the SQL process calms down. I tried restarting all the SEP / SQL related services however the CPU utilization just came right backup.

Well after rebooting the server this time it has calmed down substantially. I am not sure what it was up to. I will post back if it does this again. Wierd!

 I suggest capping the resources that SQL is allowed to use. By default MS SQL will take all the resources that it can.

Yeah, for your client total I think you should be fine.  Jeremy's suggestion of capping the SQL resources is probably all you need to do.

Well we figured out what the problem is. One of the machines that we managed picked up a bunch of threats and it is shipping the data back to our SEPM. Everytime we click refresh on the main page the server goes nuts. Check out the screenshot. We cleared out the 50000+ detections from the machine sending the detections back to SEPM and they keep coming. I am not sure what to do.

 I recommend removing that machine from your network as soon as possible, in case one of the 50k threats is network aware.

Well that would do it as well.  Yank the plug on that machine until you can reformat it or otherwise clean it up.

OK Guys, heres what happened. This was a terminal server where a single user had 30k of  zero kb .tmp files in their %temp% folder. A scan got kicked off on Saturday at 11:30pm and it got hung up on these 30k of .tmp files. I ran a SMC -stop and cleared all the temp files. Then cleared all the log files for symantec and the quarantine then ran a smc -start. About 20 minutes later everything was fine on the server. Pretty interesting situation. Thanks for everyones info. Good to know that our server is capable of supporting a lot more clients.