High CPU % Utilization - Store.exe, Inetinfo, Antigen are top processe

[DannoSV]

On Saturday the CPU's on our exchange server started spiking. Store is now averaging 18-25%, but we are seeing spikes where the store is at 100+ %. This is a two proc box so the max is 200%.
Along with the store.exe (which is always the highest) the other top processes are AntigenRealTime and System. Here's a spec of one of the spikes:

Process Name % Processor Time
Store.exe 121.78
AntigenRealTime 20.80
System 15.59
inetinfo 2.07
AntigenInternet 1.94


Should I attribute this to Antigen?
There are no Errors or Warnings in the System or App logs during the spike times.
I mentioned that store.exe is averaging at 25% now whereas before Saturday it was lower not really any higher than 3%.

Full back-ups run on this box everyday and never spike the CPU.

Any ideas?

Thanks

 

[billieT]

You know the easy answer? Turn off your virus scanner and see if the CPU usage drops. Especially if you only installed it recently, or something to do with it was updated recently. (I hope you don't have it updating signatures directly from the providor - they need testing on other servers first)!

If a scanner is running around doing things to incoming messages and scanning the virtual directory as well, it's going to hit store.exe. There may be some features you need to turn off or tweak to make it run better.

I also suggest you check the documentation to see how much RAM they recommend for the antivirus product. You might want to use some of the MS tools to run estimates of how much memory/CPU/disk capacity you need to support the number of mailboxes and message traffic you normally get. It maybe that the [scan overhead]+[message traffic] is overloading your memory and the CPUs aren't able to keep up. I'd expect a lot of disk activity (paging) if that's the case. You don't mention what CPUs you have - I hope they're not just a couple of PII 350s!

Finally, if the AV hasn't been updated lately, I strongly suggest you do so - you might have been infected with something!

 

[DannoSV]

Thanks for your help!

I'll be disconencting Antigen from the stores this weekend to see if that helps.

I actually restarted the box yesterday and although the store.exe process was down to ~3%, it returned to 20% when I arrived this morning.

We're running Antigen which provides modified versions of the DAT files from the providers.

This box has 2 procs and is a high-end server, pretty beefy.

Maybe you're on to something in respect to being infected. Maybe I should consider running a manual scan. But if there is a problem with Antigen, what would I be risking by doing this?

 

[pdtit]

Danno,

It is pretty normal that the store.exe consumes 35-40% of CPU. Microsoft explains that the store process takes the most possible amount of CPU, and gives resources back if needed.

Of course, when hitting 100%, something is going wrong.
Maybe you can check if your exchange data folders (c or d or whatever driveletter:\exchsrvr\mdbdata, mtadata, logs) are excluded from the file scan. These files are controlled by the exchange aware agent.

Please give your feedback after your testing, so you can get more help if needed.

Regards,

Peter

 

[billieT]

I agree with Peter - if the Antigen is scanning the actual mdbdata files and not just the virtual M: drive, there could be some interactions going on there. I've certainly had to tweak virus scanners so that the mdbdata file scan is scheduled for once a day, and the M: drive scan is allowed to be dynamic on write.

There also might be a problem with the latest DAT file. Can you roll back to a previous release?

If you want to see if something else might have infected the server (which, actually, I don't really think would be your problem), you could try downloading a limited trial of another product. Sophos is good - you just need to fill in a form to download the product.

 

[zoeythecat]

Agree with both Peter and Billie. I have Groupshield for Exchange 2000 and Enterprise Virus Scan (MCAFEE) and my store was hitting 100%...Turns out I did not have the many exclusions that needed to be set. Once the Exchange directories and files I needed to exclude were set I have no problems.

 

[pctekk]

Zoeythecat,

what specific directories/files/folders did you have to exclude on Groupshield ??
thanks

 

[pdtit]

Just check my reply a bit higher.

you should NOT exclude them from groupshield, but from your normal filescanner (eg. Netshield)

The groupshield scans only your EXCHANGE database.

Reg,

Pdt

 

[zoeythecat]

Agree with PDT. Don't exclude anything from groupshield. You need to add Exchange Exclusions on your Netshield or your Virus Scan Enterprise product (whatever MCAFEE version you have that is protecting your files).

check out this link for more information on what you need to exclude exactly.

https://knowledgemap.nai.com/phpclient/MainPage.aspx

Good luck.

 

[zoeythecat]

Sorry about that.

If you click on the "Knowledge" on the left hand side and type in the search column ==>netshield\virusscan exclusions
you will get some nice articles on this.

here are just a couple.

(1)

https://knowledgemap.nai.com/phpcli...Exchange 5.5 server&sourceKmap=&viewFrom=Main

(2)

https://knowledgemap.nai.com/phpcli...ld 5.x for Exchange&sourceKmap=&viewFrom=Main

 

[TexExpat]

Antigen does not scan the file system of the server; it scans messages only. It can be configured to scan messages passing through the SMTP connector and/or within the message store. The realtime scan scans messages being sent; it does not scan mailboxes. You can perform a manual scan against the contents of the mailboxes, but in general the idea is to make sure the mailboxes are not infected then ensure they stay uninfected through scanning all incoming messages. At any rate it does not scan drives or any part of the file system. If the Exchange server OS is infected, Antigen will not find that.

 

[xmsre]

Time to have a chat with the antigen folks. The smtp transport sinks for their scanner run in inetinfo's memory space. Set up AD plus and take a user dump. I bet all the threads are hanging on antigen.

 

[pctekk]

are you suppose to run netshield
or Viruscan professional on
Exchange 2k box w/ Groupshield ??

 

[xmsre]

You can. You just need to exclude the exchange directories and groupshield directories as in nai25278.

 

[PaulGillespie]

I'm having a very similar problem, I have a small business server 2000 and have netshield scanning the server but have excluded:

C:\program files\Mcaffee
C:\program files\Network Associates
C:\program files\exchsrvr
M:
Groupshield is also running for scanning mail.

My CPU (2.2 Xeon) sits at 99% for store.exe and i have to reboot every 2 days.

Am i missing something?

 

[vbajock]

We had this same problem. We called MS and paid the 245$. They told us that under no circumstances should the M: drive be scanned by any virus product. We adjusted the scan to exclude M: Problem gone. Cost me 245$, and now yours, for free.