Virenschutz braucht 50-100% CPU Last – Wer ist schuld?

 

Mcafee / Symantec / Trend / Kaspersky

German: Windows Prioritätsinversion

English: Windows Priority Inversion

 

FAQ / Fragen

  • Immer wenn ich mich am Windows 7/8/10/XP anmelde ist dies langsam. Dies ist sicher der Virenschutz?
  • Immer wenn ich einen Server starte zieht der Virenschutz XX 100% CPU Last?
  • Warum braucht der Task/Service "******.exe" so viel CPU Last? Wenn ich das deinstallieren/abstelle ist es schneller?
  • Mcafee Task needs % CPU time why?
  • Wenn ich Option Y beim Virenschutz abstelle dann läuft es schneller. Es ist der Virenschutz Schuld.

Warum

  • Jeder Fehler/Delay Bug den eine Software macht > MACHT der Mcafee VSE/ENS oder Symantec SEP dann nochmals Performance mässig hinten drauf. z.B. gibt es im Healthcare Bereich Software welche beim Öffnen einer Anmeldemaske 400 Files ab einem Share zieht. Die Software macht kein Update, noch kontrolliert sie LDAP/DB usw. Sie ist einfach hundsmiserabel programmiert. Dies wäre nicht weiter schlimm würde Sie mit einem Windows Installer Paket als MSI installiert werden und nicht ab einem Share laufen.
  • Die CPU Last in Bezug auf Priority wird durch Windows gehandelt. Auch wenn die Mcafee Services oder der Scanner mit einer "Low Priority" kommen kann ein anderer Task diese tangieren sofern Sie die gleiche Resource handeln. So kann jedes EXE, dass mit HIGH Priority läuft andere die vorne in der Queue sind und hochstufen (Also nicht das EXE sondern Windows selber macht dies)
  • Also: prio1.exe kommt mit PRIO HIGH und hat es dringend auf einem File Share. Windows Stuft dann die Virenschutz Tasks auch hoch damit diese fertig werden mit was immer sie machen. Das blöde ist nur, dass diese Services immer was machen.

 

Lösung

Finde die Software welche schlecht programmiert ist und a) Patche diese b) Ersetze resp. eliminiere diese.

Fazit

Schuld ist selten der Virenschutz….Höchstens Ransomware und dass der Virenschutz im 2017 keine Exception mehr haben darf.

 

WIKIPEDIA: https://de.wikipedia.org/wiki/Priorit%C3%A4tsinversion

Schneller machen: So einfach geht es dann. Und mein meinesoftware.exe ist die schnellste: https://social.msdn.microsoft.com/Forums/vstudio/en-US/daae2f48-d2c9-44f1-b981-3d5397cf156c/how-to-change-the-application-priority?forum=netfxbcl (Ob andere Sachen noch laufen interessieren mich nicht….)

MSDN: https://msdn.microsoft.com/en-us/library/system.diagnostics.process.priorityclass.aspx

Dr. DOBBS Journal, Eric Bruno beschreibt dies (Kennt das noch jemand von den Hipstern-codern heute?): http://www.drdobbs.com/jvm/what-is-priority-inversion-and-how-do-yo/230600008

 

Priority Inversion

 

https://msdn.microsoft.com/library/ms684831(v=VS.85).aspx

Priority inversion occurs when two or more threads with different priorities are in contention to be scheduled. Consider a simple case with three threads: thread 1, thread 2, and thread 3. Thread 1 is high priority and becomes ready to be scheduled. Thread 2, a low-priority thread, is executing code in a critical section. Thread 1, the high-priority thread, begins waiting for a shared resource from thread 2. Thread 3 has medium priority. Thread 3 receives all the processor time, because the high-priority thread (thread 1) is waiting for shared resources from the low-priority thread (thread 2). Thread 2 will not leave the critical section, because it does not have the highest priority and will not be scheduled.

The scheduler solves this problem by randomly boosting the priority of the ready threads (in this case, the low priority lock-holders). The low priority threads run long enough to exit the critical section, and the high-priority thread can enter the critical section. If the low-priority thread does not get enough CPU time to exit the critical section the first time, it will get another chance during the next round of scheduling.

 

 

 

Zwei Beispiele aus der Praxis:

 

  • Immer wenn ich mich am System anmelde ist dies langsam und der Virenschutz zieht 50% oder 100% CPU Time bei einem Core? (Bei 4/8 Stück….)
  • Immer wenn ich einen Server starte zieht der Virenschutz XX 100% CPU Last?

 

Dies ist im Grunde weil WINLOGON mit einer PRIO von 13 läuft und die Erlaubnis hat ANDERE Task zu forcieren (Windows selber)

Lauft dann z.B ein Virenschutz welcher SERVCIES und STARTUP Files/Keys wegen MBR-Malware scannt wird dieses vom hinteren TASK angepasst auf eine höhere Priorität.

An sich ist NICHT der Virenschutz dann langsam sondern die Software welche das ganze PRIO durch einander bringt.

 

Hier sieht man die TASK welche mit einer höheren PRIO laufen. WINLOGON damit beim LOGON alles klappt plus z.B. ein Forticlient SSL VPN.

 

Exchange 2010 large Mailbox with 112 GB size found

The largest Exchange customer Mailbox seen to date? (People with large attachments who really have them business related)

Did not even know that's possible?

A new top scorer was found on a Swiss Exchange 2010 not under maintenance. A busy female user of an advertising and printing office has 112 GIGABYTE in her Exchange Mailbox.

The BOX did run over 4 year's fine now.

 

  • Maybe the OST Cache files would come into game when the once migrate their local client from Spinning disk to smaller SSD ;-) Her OST-File would then fill the 128GB SSD disks. Now I understand why some user doesn't like Cached Mode from a 1st level view.

 

The user has a true workload like this and his recycle only shows 188MB. We have seen an employee once who made and ARCHIVE SOLUTION under hid RECYCLE folder in Outlook.exe. So Cleaning out Recycle when you leave outlook.exe per GPO is not always a good solution.

Swiss record I guess?

get-mailbox | Get-MailboxStatistics | where {$_.ObjectClass –eq "Mailbox"} | Sort-Object TotalItemSize –Descending | ft @{label="User";expression={$_.DisplayName}},@{label="Total Size (MB)";expression={$_.TotalItemSize.Value.ToMB()}},@{label="Items";expression={$_.ItemCount}},@{label="Storage Limit";expression={$_.StorageLimitStatus}} -auto

 

Running time of the Mailbox

Proof

UNINSTALL Internet Explorer 11 - IE11 - Re-Deinstallieren IE 11

 

Some times you may need to Uninstall Internet Explorer 11. It may get corrupt or what we don't hope you would need another browser.

99% of the websites run just fine if you understand Corporate tools like "ENTERPRISE MODE" (http://www.butsch.ch/post/IE11-Umsetzen-Unternehmensmodus-Enterprise-Mode.aspx).

Also keep in mind that in the last leaked CIA Wikileaks (*1) papers all other browsers and esp. Portable Version where mentioned as DLL Injectors. IE is manged by Group Policy

In your company so leave it like it is ;-) No there is NO Gpo for Chrome and Firefox.

 

uninstall IE11 with GUI (If you find it after 2 hrs in list of 800 Updates)

  1. Click the Start button, type Programs and Features in the search box, and then select View installed updates
  2. Under Unistall an update, scroll down to the Microsoft Windows section
  3. Right-click Internet Explorer 11, click Uninstall, and then, when prompted, click Yes

Using batch:

 

 

FORFILES /P %WINDIR%\servicing\Packages /M Microsoft-Windows-InternetExplorer-*11.*.mum /c "cmd /c echo Deinstalliere @fname && start /w pkgmgr /up:@fname /norestart /quiet"

 

Using cli with WUSA tool:

wusa.exe /uninstall /kb:2841134 /quiet

Check our Post for WUSA: http://www.butsch.ch/post/How-to-identify-WSUSWindows-Update-Patches-installed-on-a-Windows-7-in-Batch.aspx

 

If you have an PRE Installed IE11 from Microsoft or some OEM brand (Producer) then you may need to do add. steps to uninstall IE11.

1.    Cmd.exe to bring the Run box, type regedit and hit enter.

2.    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer

3.    Right-click on the Internet Explorer key, choose "New" and select "DWORD" value.

4.    Enter "InstalledByUser" as the name and hit "Enter" on your keyboard.

5.    Cmd.exe

%windir%\ie11\spuninst\spuninst.exe

 

*1 Reference mentioned Wikileaks around 02/2017:

 

Our Links:

http://www.butsch.ch/post/IE11-IEAK-11-Setup-9-PRE-Deployment-Patches-2b-1-Hotfix.aspx

http://www.butsch.ch/post/How-to-identify-WSUSWindows-Update-Patches-installed-on-a-Windows-7-in-Batch.aspx

http://www.butsch.ch/post/IE11-Umsetzen-Unternehmensmodus-Enterprise-Mode.aspx

McAfee ENS 10.2/10.5 Uninstall Web Control fails

Uninstall MacAfee Endpoint Security WEB Control Modul 10.2 on a 10.5 machine.

Error 1336: There was an error creating a temporary File (System Error Code 5)

Well they had it once doucmented very well WITH no solution…

https://kc.mcafee.com/corporate/index?page=content&id=KB87728&locale=en_US&viewlocale=en_US

C:\Program Files (x86)\McAfee\Endpoint Security\Web Control\scripts

So we check with procmon what he means with that GUI message:

C:\Program Files (x86)\McAfee\Endpoint Security\Web Control\scripts\TBD641B.TMP

Yes sure, write under a Folder scripts a File with TMP extension for uninstalling a product? No other Malware Software is on the System.

So we exclude that path? Not the first time MacAfee product a) falls over product b) If you don't keep them all updated to latest all the time.

Fail

So some times the Windows Installer is missing MS-Sources files because noobs clear up space on a machine and delete als Cached files. Well McAfee has that in mind and puts the MSI Files in a separate Folder. But thst also does not solve it.

So here are the MSI to catch that:

Remove > FAIL

Repair > FAIL

Turn of all Protection from Threat protection > FAIL

Uninstall Plattform and Threat Protection

Threat > OK > Uninstall Web > FAIL

Plattform > No Deppendcy

What's this is this a HP BLADE Server? Am i on a Server?

Some how after that Message the "Web" part was away. I am not sure when we succeded but we has to try several times after we uninstalled the Prevention Part.

Magic has happend it's uninstalled all:

This was a Single installation. If this Happens in a Enterprise with EPO? ;-(

 

 

 

 

Exchange 2013 LED 441 4.4.1 Mail Flow stuck because of Receive Connector SELF MADE wrong

 

ERROR:

LED=441 4.4.1 Error encountered while communicating with the Primary Target IP address (Failed to connect. Winsock error code: 10060, Win32 error code 10060. Attempted failover to alternate host)

 

You see E-Mail in the Queue and have no E-Mail flow on Exchange 2013:

This can have following error sources:

  1. DNS Settings of NIC (Server)
  2. DNS Settings of Exchange itself (Not the OS DNS the under /ECP)
  3. HIDDEN OLD NIC as example replaced or in VM
  4. RECEIVE CONNECTOR with DUBLETTE criteria (SELF MADE which reflects built in CRITERIA)

 

Here is how to resolve in steps:

  1. Check if all AUTOMATIC Services from Exchange are running (Exchange 2013 CAN take Services DOWN if he thinks something is wrong)
  2. Restart full Exchange or all *TRANSPORT* Services
  3. Check your DNS Settings in Exchange ITSELF (/ECP) and on your NIC's (http://www.butsch.ch/post/Exchange-2013-451-470-Temporary-Server-errors-Please-Try-Again-Later-PRX.aspx
  4. Check if you have hidden NIC's (http://www.butsch.ch/post/W7-Show-hidden-Hardware-devices.aspx)
  5. Receive Connector > Check all additional RECEIVE Connector and IF they have common criteria with OTHER built in receive connector. If worst CASE both have the MANY identical Criteria on your SELF MADE you may have to change from Port 25 to 26. Test by removing the SELF MADE receive connector and Restart the Exchange. If Mail Flow is ok then it was the connector you made. (http://www.butsch.ch/post/Exchange-2007-2010-How-to-RELAY-ANONYMOUS-for-clients-or-Servers-(GermanEnglish).aspx) < THIS has not changed from 2007/2012 in terms of selection through Criteria.

     

     

Look out for IP ranges which are in Connector two times AND have the same setting on PORT, Authentication etc. If Exchange DOES not KNOW WHICH receive connector to take/use he will end up in a loop and may take down services in 2013 if this happen many times.

 

 

Some sample Connector Criteria:

Sample wrong Connector range which covers the "OTHER" Exchange Server which would have IP 192.168.200.10 and thus Exchange would FALSE use this connector for INTERNAL MAIL FLOW (Exchange Mail Flow). Beside this would open MAIL RELAY for the Full VLAN segment in Ransomware days.

 

 

Exchange Services:

Exchange Internal DNS