1 2 Previous Next 28 Replies Latest reply on May 26, 2010 9:00 AM by winadmin

    softmon.exe CPU utilization after 8.8 SP4

    Rookie

      Hello,  I wander if anyone else has ran into this. After we upgraded our Core from 8.8 SP3 to SP4 and our clients ran security scans which triggered vulscan self update we've notices that on ALL clients softmon.exe jumped from 0 to 8 - 50 % CPU utilization. We finally figured out that it was related to Mcafee Virus Scan 8.7. Mcafee is a standard antivirus on our campus and installed on all of our client computers (yes, all 9000 of them!!!).

       

      We tried to setup exclusions for all the LANDesk processes with no luck. At this point we are completely out of ideas. I should mention that I did open a case with tech support and they are looking into it. Meanwhile, we start taking more and more calls on this issue.

       

      I was wandering if anyone else has seen this and perhaps has a solution or a work around.

       

      Thanks in advance.

        • 1. Re: softmon.exe CPU utilization after 8.8 SP4
          Rookie

          Hi winadmin

           

          We also run mcafee 8.7 and have just upgraded to landesk SP4.  I have noticed our clients softmon.exe using up around 20% CPU.  Doing the same thing on XP SP3 and Vista clients.  Looking into it now and will keep you posted.

           

          Cheers

          • 2. Re: softmon.exe CPU utilization after 8.8 SP4
            Rookie

            We are experiencing the same behavior regardless if we are using McAfee 8.5 or 8.7. I contacted LANDesk support and was informed that other customers on SP4 with McAfee are experiencing the same issue and that I needed to contact McAfee. I contacted McAfee and we attempted multiple exclusions, upgrades, etc. I ran a MERS report on 5/14 and sent it to McAfee, they are currently researching the issue. I became impatient today as McAfee has not called back and I realized that they put the ticket in as Non-Buisness Impacted. I have 2700+ systems with this issue, it is definetly buisness impacted. I called them back and am currently working with them again but it doesn't appear I am making any progress with McAfee. If you disable Access Protection Policy in the console then the Softmon CPU usage goes to normal but you are open to virus's.

            • 3. Re: softmon.exe CPU utilization after 8.8 SP4
              phoffmann SupportEmployee

              Could one of you guys try this (I'm having a theory, since it used to be a problem in the past).

               

              McAffee has this "process based monitoring" feature, right? I mean the one where - let's say vulscan kicks off - McAffee doesn't JUST scan vulscan, but also every file/registry-key that vulcan touches.

               

              Not terribly familiar with what McAffee call it, but it's the process-based scanning concept.

               

              Have you tried turning that off? That thing usually causes problems (though usually more when VULSCAN or LDISCN32 are running, as opposed to SOFTMON). That might help McAffee get on to the right track potentially?

               

              Not much, but it might be worth a shot?

               

              - Paul Hoffmann

              LANDesk EMEA Technical Lead

              • 4. Re: softmon.exe CPU utilization after 8.8 SP4
                Rookie

                Thanks for the response Paul. I have already provided that information to McAfee. When the "Enable Access Protection" is unchecked (disabling it) the the CPU usage goes to normal. McAfee just had me submit another MERS report from a different system so that they can compare the two reports I have sent and see what is going on. What changes were made in Softmon between SP3 and SP4. Obviously there has to be something or users with SP3 prior would be having the same issue.

                • 5. Re: softmon.exe CPU utilization after 8.8 SP4
                  phoffmann SupportEmployee

                  Ah right - so it is that. Figures.

                   

                  To me, "access protection" reads "real-time scanning" (i.e. - the basic AV "scanning the files you touch" stuff), sorry for the confusion .

                   

                  There's a handful of fixes made for Softmon between 8.8 SP3 and 8.8 SP4 from what I can see, but those are mostly functionality fixes, no "new features" or some such.

                   

                  I suspect that - whatever it is - is likely to be an unexpected side-effect that somehow triggers something in McAffee to run into this problem. At a guess, they need to find out what gets kicked off on their side to cause the problem, at which point their devs can talk to our devs to look for this, that or the other, I suspect.

                   

                  Since it's definately stemming from the process-based scanning, this is usually how such things are handled (that, or the AV-vendor figures out what is going on & fixes it on their side). That's usually how such things tend to go, at least.

                   

                  - Paul Hoffmann

                  LANDesk EMEA Technical Lead

                  • 6. Re: softmon.exe CPU utilization after 8.8 SP4
                    Rookie

                    What is the best way for me to get the devs from both sides in a discussion once I hear something from McAfee? It sounds like the two of you have been down this path in the past. Also another side note is that when testing exclusions I excluded the entire Progra~1\LANDesk and All Subfolders.

                    • 7. Re: softmon.exe CPU utilization after 8.8 SP4
                      phoffmann SupportEmployee

                      Well - once they know what's causing the problem on their side and if they need to then talk to our devs, we're actually pretty easy about doing this.

                       

                      You're a customer, so all you need to do is just raise a ticket - stating what the problem is, that McAffee's side has identified their part of the problem (or at least what's causing them to go CPU-heavy), and that they'd like to talk to our devs about it, as well as what the relevant McAffee details are (case number / names / phone #-s), and we take care of it from there.

                       

                      We try to keep this reasonably straight forward as such .

                       

                      We'll need to see whether they even need to talk to our dev's at this point though, whilst that is an option, it's not necessarily a certainty .

                       

                      - Paul Hoffmann

                      LANDesk EMEA Technical Lead

                      • 8. Re: softmon.exe CPU utilization after 8.8 SP4
                        Rookie

                        Please keep in mind that we don't have LANDesk Antivirus and I have already verified that the registry keys are set to 0 for Antiviurs. See McAfee's response.

                         

                        We investigated further and see that LANDesk is an Anti-Virus software package. It's not recommended to run two Antivirus solutions side by side. We suggest you to call LANDesk to get support on configuring the LANDesk software not to query MCAfee or Network Associates registry keys and try to modify them. According to the Process Monitor Log that's exactly what LANDesk is doing therefore causing performance issues and that would be expected. You may need re-configure LANDesk not to try and change our registry keys.

                         
                        Let me know if you have any questions.
                         

                        Thanks,
                         
                        Shelly Khanna
                        McAfee Gold Support Engineer

                        McAfee Website: http://www.mcafee.com
                        McAfee Service Portal: https://mysupport.mcafee.com
                        Keep up-to-date on your McAfee products! Subscribe to McAfee's Support Notification Service (SNS) to get timely technical info. Go to: http://my.mcafee.com/content/SNS_Subscription_Center

                        • 9. Re: softmon.exe CPU utilization after 8.8 SP4
                          Rookie

                          We actually tried excluding all LANDesk processes from scanning in addition to LDClient folder with no luck. Here is the list of processes we tried to exclude:

                           

                          policy.client.invoker.exe

                          issuser.exe

                          tmcsvc.exe

                          residentagent.exe

                          softmon.exe

                          LocalSch.EXE

                          Console.exe

                          Vulscan.exe

                          Policy.sync.exe

                          LDISCN32.EXE

                          wscfg32.exe

                           

                          Please let me know if there is anything missing so we will add it to the list.

                          • 10. Re: softmon.exe CPU utilization after 8.8 SP4
                            Tom.Phillips Apprentice

                            We are having the same issue here. EPO 8.7 and LD 8.8 SP4. We just upgraded to SP4 last night and the PC's that have the new agent on it have softmon running at about 10-15 %. So far we have only rolled the SP4 agent out to Win 7 64 bit machines.

                             

                            An interesting side note...I took 2 identically imaged XP machines (in this case both VMs) and left one of them at LD 8.8 Sp2a and upgraded the other agent to SP4. I ran sysinternals (microsoft's) process monitor on each filtering on just softmon.exe. It looks like SP4 completely changes how softmon works. Take a look below at just a small snapshot of the output for each PC. I had to show 2 minutes on the SP2a agent since there really was not much data, but only showed a tenth of a second with the SP4 agent:

                             

                            With SP2a Agent (over a 2 minute time frame):

                            37:02.4 softmon.exe 2912 RegOpenKey HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient SUCCESS Desired Access: Query Value, Write DAC
                            37:02.4 softmon.exe 2912 RegQueryValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path SUCCESS Type: REG_SZ, Length: 68, Data: C:\Program Files\LANDesk\LDClient
                            37:02.4 softmon.exe 2912 RegQueryValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path SUCCESS Type: REG_SZ, Length: 68, Data: C:\Program Files\LANDesk\LDClient
                            37:02.4 softmon.exe 2912 RegCloseKey HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient SUCCESS
                            37:02.4 softmon.exe 2912 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Desired Access: Read
                            37:02.4 softmon.exe 2912 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData SUCCESS Type: REG_SZ, Length: 106, Data: C:\Documents and Settings\All Users\Application Data
                            37:02.4 softmon.exe 2912 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData SUCCESS Type: REG_SZ, Length: 106, Data: C:\Documents and Settings\All Users\Application Data
                            37:02.4 softmon.exe 2912 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS
                            37:02.4 softmon.exe 2912 QueryOpen C:\Documents and Settings\All Users\Application Data\vulScan SUCCESS CreationTime: 5/17/2010 5:12:10 PM, LastAccessTime: 5/19/2010 9:35:45 AM, LastWriteTime: 5/18/2010 7:25:18 PM, ChangeTime: 5/18/2010 7:25:18 PM, AllocationSize: 0, EndOfFile: 0, FileAttributes: D
                            37:02.4 softmon.exe 2912 QueryOpen C:\Documents and Settings\All Users\Application Data\vulScan\actionHistory.VAVP-DSK-LAN1.va.nreca.org.xml NAME NOT FOUND
                            39:02.4 softmon.exe 2912 RegOpenKey HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient SUCCESS Desired Access: Query Value, Write DAC
                            39:02.4 softmon.exe 2912 RegQueryValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path SUCCESS Type: REG_SZ, Length: 68, Data: C:\Program Files\LANDesk\LDClient
                            39:02.4 softmon.exe 2912 RegQueryValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Path SUCCESS Type: REG_SZ, Length: 68, Data: C:\Program Files\LANDesk\LDClient
                            39:02.4 softmon.exe 2912 RegCloseKey HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient SUCCESS
                            39:02.4 softmon.exe 2912 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Desired Access: Read
                            39:02.4 softmon.exe 2912 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData SUCCESS Type: REG_SZ, Length: 106, Data: C:\Documents and Settings\All Users\Application Data
                            39:02.4 softmon.exe 2912 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData SUCCESS Type: REG_SZ, Length: 106, Data: C:\Documents and Settings\All Users\Application Data
                            39:02.4 softmon.exe 2912 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS
                            39:02.4 softmon.exe 2912 QueryOpen C:\Documents and Settings\All Users\Application Data\vulScan SUCCESS CreationTime: 5/17/2010 5:12:10 PM, LastAccessTime: 5/19/2010 9:35:45 AM, LastWriteTime: 5/18/2010 7:25:18 PM, ChangeTime: 5/18/2010 7:25:18 PM, AllocationSize: 0, EndOfFile: 0, FileAttributes: D
                            39:02.4 softmon.exe 2912 QueryOpen C:\Documents and Settings\All Users\Application Data\vulScan\actionHistory.VAVP-DSK-LAN1.va.nreca.org.xml NAME NOT FOUND

                             

                             

                            With SP4 Agent (over less than a tenth of a second time frame):

                            39:01.6 softmon.exe 2108 RegQueryValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/Program Files/LANDesk/LDClient/rcgui.exe\Current Duration SUCCESS Type: REG_BINARY, Length: 8, Data: E0 7B B0 01 10 00 00 00
                            39:01.6 softmon.exe 2108 RegQueryValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/Program Files/LANDesk/LDClient/rcgui.exe\Total Duration SUCCESS Type: REG_BINARY, Length: 8, Data: E0 7B B0 01 10 00 00 00
                            39:01.6 softmon.exe 2108 RegSetValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/Program Files/LANDesk/LDClient/rcgui.exe\Current Duration SUCCESS Type: REG_BINARY, Length: 8, Data: 80 A1 D6 01 10 00 00 00
                            39:01.6 softmon.exe 2108 RegSetValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/Program Files/LANDesk/LDClient/rcgui.exe\Total Duration SUCCESS Type: REG_BINARY, Length: 8, Data: 80 A1 D6 01 10 00 00 00
                            39:01.6 softmon.exe 2108 RegCloseKey HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/Program Files/LANDesk/LDClient/rcgui.exe SUCCESS
                            39:01.6 softmon.exe 2108 RegOpenKey HKLM\Software\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/WINDOWS/system32/wuauclt.exe SUCCESS Desired Access: Maximum Allowed
                            39:01.6 softmon.exe 2108 RegQueryValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/WINDOWS/system32/wuauclt.exe\Last Started SUCCESS Type: REG_BINARY, Length: 8, Data: B0 06 37 70 4C F7 CA 01
                            39:01.6 softmon.exe 2108 RegQueryValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/WINDOWS/system32/wuauclt.exe\Current Duration SUCCESS Type: REG_BINARY, Length: 8, Data: 40 E7 BB 33 0C 00 00 00
                            39:01.6 softmon.exe 2108 RegQueryValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/WINDOWS/system32/wuauclt.exe\Total Duration SUCCESS Type: REG_BINARY, Length: 8, Data: 40 7B 5D F8 11 00 00 00
                            39:01.6 softmon.exe 2108 RegSetValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/WINDOWS/system32/wuauclt.exe\Current Duration SUCCESS Type: REG_BINARY, Length: 8, Data: E0 0C E2 33 0C 00 00 00
                            39:01.6 softmon.exe 2108 RegSetValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/WINDOWS/system32/wuauclt.exe\Total Duration SUCCESS Type: REG_BINARY, Length: 8, Data: E0 A0 83 F8 11 00 00 00
                            39:01.6 softmon.exe 2108 RegCloseKey HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/WINDOWS/system32/wuauclt.exe SUCCESS
                            39:01.6 softmon.exe 2108 RegOpenKey HKLM\Software\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/Documents and Settings/tpp0/Desktop/Procmon.exe SUCCESS Desired Access: Maximum Allowed
                            39:01.6 softmon.exe 2108 RegQueryValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/Documents and Settings/tpp0/Desktop/Procmon.exe\Last Started SUCCESS Type: REG_BINARY, Length: 8, Data: F0 28 19 E4 57 F7 CA 01
                            39:01.6 softmon.exe 2108 RegQueryValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/Documents and Settings/tpp0/Desktop/Procmon.exe\Current Duration SUCCESS Type: REG_BINARY, Length: 8, Data: 00 C5 D9 BF 00 00 00 00
                            39:01.6 softmon.exe 2108 RegQueryValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/Documents and Settings/tpp0/Desktop/Procmon.exe\Total Duration SUCCESS Type: REG_BINARY, Length: 8, Data: 00 C5 D9 BF 00 00 00 00
                            39:01.6 softmon.exe 2108 RegSetValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/Documents and Settings/tpp0/Desktop/Procmon.exe\Current Duration SUCCESS Type: REG_BINARY, Length: 8, Data: A0 EA FF BF 00 00 00 00
                            39:01.6 softmon.exe 2108 RegSetValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/Documents and Settings/tpp0/Desktop/Procmon.exe\Total Duration SUCCESS Type: REG_BINARY, Length: 8, Data: A0 EA FF BF 00 00 00 00
                            39:01.6 softmon.exe 2108 RegCloseKey HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/Documents and Settings/tpp0/Desktop/Procmon.exe SUCCESS
                            39:01.6 softmon.exe 2108 RegOpenKey HKLM\Software\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/WINDOWS/system32/wbem/wmiprvse.exe SUCCESS Desired Access: Maximum Allowed
                            39:01.6 softmon.exe 2108 RegQueryValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/WINDOWS/system32/wbem/wmiprvse.exe\Last Started SUCCESS Type: REG_BINARY, Length: 8, Data: 30 5D C5 E6 57 F7 CA 01
                            39:01.6 softmon.exe 2108 RegQueryValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/WINDOWS/system32/wbem/wmiprvse.exe\Current Duration SUCCESS Type: REG_BINARY, Length: 8, Data: C0 90 2D BD 00 00 00 00
                            39:01.6 softmon.exe 2108 RegQueryValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/WINDOWS/system32/wbem/wmiprvse.exe\Total Duration SUCCESS Type: REG_BINARY, Length: 8, Data: A0 EC B9 76 06 00 00 00
                            39:01.6 softmon.exe 2108 RegSetValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/WINDOWS/system32/wbem/wmiprvse.exe\Current Duration SUCCESS Type: REG_BINARY, Length: 8, Data: 60 B6 53 BD 00 00 00 00
                            39:01.6 softmon.exe 2108 RegSetValue HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/WINDOWS/system32/wbem/wmiprvse.exe\Total Duration SUCCESS Type: REG_BINARY, Length: 8, Data: 40 12 E0 76 06 00 00 00
                            39:01.6 softmon.exe 2108 RegCloseKey HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\C:/WINDOWS/system32/wbem/wmiprvse.exe SUCCESS

                            • 11. Re: softmon.exe CPU utilization after 8.8 SP4
                              phoffmann SupportEmployee

                              Michael,

                               

                              I think it'd help them if you would explain to them (or get them to look at this forum?) that "yes, whilst LANDesk *can* have an AV solution", it's *NOT* a point-product. It's a Management Suite (as the name indicates), and whilst AV is part of our offering, it's not something that necessarily every customer has.

                               

                              It's a bit like saying that "all the USA has is rocks", when in fact there's snow, trees, lakes and all sorts of other things, which have little to no relation of rocks, and in fact one can (sort of) be part of it without any rocks involved (granted, the comparison is somewhat crude, but gets the point accross).

                               

                              ==================

                               

                              Tom,

                               

                              Interesting catch there - I don't exactly see how this would justify 20% CPU usage per se, but very definitiely a starting point. I'll try to get a pair of eyes on to this, and see if there's anyone who knows why there would be such an increase in the registry accessing we do...

                               

                              I'm curious as to why McAffee doesn't live "happily" with the exceptions though ... would've expected that to be quite sufficient to be honest?

                               

                              - Paul Hoffmann

                              LANDesk EMEA Technical Lead

                              • 12. Re: softmon.exe CPU utilization after 8.8 SP4
                                phoffmann SupportEmployee

                                As an addendum...

                                 

                                ... could I ask that those of you who have logged this  with the support folks at LANDesk, ask the relevant tech(s) to shoot me a  quick mail about this?

                                 

                                This way at least I can try to keep everyone in  the loop, and we don't have 1,000 different communication trails going  on .

                                 

                                Most kind thanks.

                                 

                                - Paul Hoffmann

                                LANDesk EMEA Technical Lead

                                • 13. Re: softmon.exe CPU utilization after 8.8 SP4
                                  Tom.Phillips Apprentice

                                  I kind of though that was weird too. We are excluding the process Softmon.exe from being scanned by the on-access scanner (and therefore it should exclude anything that softmon.exe is looking at I believe). I removed McAfee from the SP4 machine and the CPU usage dropped to 0 - 3% on softmon... and I would expect that sort of CPU usage since it is actually monitoring real time.

                                  • 14. Re: softmon.exe CPU utilization after 8.8 SP4
                                    Tom.Phillips Apprentice

                                    As someone stated above:

                                     

                                    If I leave Access Protection on but uncheck everything it is looking for under each category, softmon reduces CPU utilization to 5-8%. It is only if I disable it that I can get sotmon CPU utilization to drop to 0-3%.

                                     

                                     

                                    So it has something to do with Mcafee's Access Protection and Landesk's Softmon.

                                    1 2 Previous Next