SBS 2011 CPU pegged at 100%

[stick1977]

See attached, I don't get it. It's not just one process it's like 20 different processes all using a little bit of the processor.

One of the svchost.exe cycle eaters was associated with Event viewer so saved then cleared the logs. That actually helped for a bit but before long it was up to 100% again.

raw_agent_svc.exe is associated with the Datto box that's providing Business Continuity, I hope I don't have to spin that up due to this.

New server since July, PowerEdge T320 with 16 GB RAM, 8 core Xeon.

I've rebooted the Datto and have triggered an uninstall of AVG internet security business edition. Machine runs Exchange 2010 with about 30 mailboxes and is the file server.

Any recommendations would be great. Thanks so much in advance.

 

[TAPtech]

Do you have A/V exclusions set up properly?

 

[YeOldeStonecat]

Yup that's my first question too.....what do you have for exclusions and file types? There are typically 2x big things you do to tweak an antivirus program to run on a server.
*Change from "ALL FILE EXTENSIONS" to the limited set
*Create all of the correct exclusions of directories, of which SBS has a TON of them....you have a huge list of exclusions to put in there.

I have a thread on it I created a while ago...
http://www.technibble.com/forums/showthread.php?t=36936&highlight=antivirus+exclusion

I hate AVG with a passion, I see it cause enough performance issues on end users computers....I'd rather beat my head against a brick wall till my forehead gushes out blood before trying to tackle it on a server.

What is the hard drive setup? Specifically...what are the HDDs...SATA or SAS How are they setup in volumes? What is doing the RAID? If it's SATA RAID with a single volume ..then yeah the server will perform like a dog when performing tasks.

How many users? What kind of mail flow? How big is the info store? If multiple volumes...where is the infostore located? If multiple volumes..is there a system managed pagefile on both?

 

[stick1977]

My AVG uninstall from Kaseya never ran. I don't believe exclusions were ever set so I'll do that but guess what. Neither myself nor my server guy applied any fixes yet CPU is normal now. Go figure.

Thanks guys I'll set the exclusions. I don't believe any have been set yet. And yes I hate AVG too. Kaseya only offers two types of AV, AVG and Kaspersky. We actually had Kaspersky first but didn't stick with it because on each PC we installed on it would say "8 inactive detections" or "16 inactive detections" and there was no way to get that to stop. So now we're on AVG. Anywho I wish we stayed with Kaspersky now, I've had many problems with AVG free in the past like the IE add-in that disabled PDFs to display in browser and once a memory leak.

Thanks I'll set the exclusions.

 

[NYJimbo]

Go into the logs and check the security log and see if the machine is being hammered. We had a server where we really couldn't see what was eating the machine but so much traffic was slamming various login functions from the Ukraine, Russian federation, China, etc. When we put broad swaths of ip deny stuff in IPsec the cpu use dropped dramatically.

 

[stick1977]

Go into the logs and check the security log and see if the machine is being hammered. We had a server where we really couldn't see what was eating the machine but so much traffic was slamming various login functions from the Ukraine, Russian federation, etc. When we put broad swaths of ip deny stuff in IPsec the cpu use dropped dramatically.

Yeah that's another good idea since IIS won't start at the moment. Bouncing the server now but will check those logs. Thanks.

 

[YeOldeStonecat]

Go into the logs and check the security log and see if the machine is being hammered. We had a server where we really couldn't see what was eating the machine but so much traffic was slamming various login functions from the Ukraine, Russian federation, China, etc. When we put broad swaths of ip deny stuff in IPsec the cpu use dropped dramatically.

Hence why a UTM appliance should be at the edge. Block that crap on separate dedicated hardware, never touches the server.

 

[NYJimbo]

Hence why a UTM appliance should be at the edge. Block that crap on separate dedicated hardware, never touches the server.

Perhaps but if your machines are located at a server farm or server hosting facility you might not be able to do this.

 

[YeOldeStonecat]

Perhaps but if your machines are located at a server farm or server hosting facility you might not be able to do this.

Not really true...co-lo facilities give you an IP or range of IPs...what you put behind them is up to you...granted though most of the better co-lo's run at least some basic ACL's against attacks. But it's still smart to protect your own server(s) at a co-lo.

However..the OP has Small Business Server. That's designed for the SMB....to be local on the network. Hardly ever see SBS co-lo'd somewhere..and even if so, refer back to first paragraph.

 

[NYJimbo]

Not really true...co-lo facilities give you an IP or range of IPs...what you put behind them is up to you...granted though most of the better co-lo's run at least some basic ACL's against attacks. But it's still smart to protect your own server(s) at a co-lo.

I have been running many servers in different data centers around the country for years and they do not prevent typical protocol or service based attacks. You must provide your own firewalls and/or rules on servers to prevent the types of attacks I am talking about. This is true for Windows or *NIX based servers.

If colo or hosting shops did their own restriction without approval from the client they would be setting themselves up for a lawsuit.

 

[YeOldeStonecat]

I have been running many servers in different data centers around the country for years and they do not prevent typical protocol or service based attacks. You must provide your own firewalls and/or rules on servers to prevent the types of attacks I am talking about. This is true for Windows or *NIX based servers.

If colo or hosting shops did their own restriction without approval from the client they would be setting themselves up for a lawsuit.

Have also co-lo'd in data centers...as well as resold for them, partnerships...and some DO indeed provide basic ACLs...been there watching their techs edit/update those ACLs with my very own eyes many times. You're trying to tell me hosting centers do nothing to prevent their clients from getting probed by worms that exploit DCOM 'n SQL 'n IIS, and do nothing to protect their hosts from DDOS attacks? It's smart..nothing to do with setting up for lawsuits. Don't have experience with budget ones though...they prolly dont....but then again I hold the bar higher than most.