Analyze AMP Diagnostic Bundle for High CPU
Available Languages
Contents
Introduction
This document describes the steps to analyze a diagnostic bundle from Advanced Malware Protection (AMP) for Endpoints Public Cloud on Windows devices to troubleshoot high CPU usage.
Contributed by Luis Velazquez and Edited by Yeraldin Sánchez, Cisco TAC Engineers.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Access to the AMP console
Components Used
The information in this document is based on these software and hardware versions:
- AMP for Endpoints Console 5.4.20200204
- Windows operating system devices
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
Verify if another antivirus is installed on the machine
If another AV (antivirus) is installed, ensure the main process of the AV is excluded in the policy configuration
Identify if the high CPU happens when a specific application is in use
Identify if the issue happens while one application or a few of them are executed if you are able to replicate the issue helps in the process of identifying potential exclusions.
Gather diagnostic bundle for analysis
Enable Debug Log Level
In order to gather a useful diagnostic bundle, the debug log level must be enabled.
Debug Level in the endpoint
If you can replicate the issue and have access to the endpoint, below is the best procedure to capture the diagnostic bundle:
- Open AMP GUI
- Navigate to Settings
- Scroll to the bottom of AMP GUI and open Cisco AMP Connector Settings
- Click on Enable Debug Logging
- Debug Logging Status must change to Started. This procedure enables debug level until the next policy heartbeat, by default 15 minutes
Debug level in the policy
If you don't have access to the endpoint or the issue can't be reproduced consistently, the debug log level must be enabled in the policy.
In order to enable debug log level by policy navigate to Management > Policies > Edit > Advanced Settings > Connector Log Level and Management > Policies > Edit > Advanced Settings > Tray Log Level, then select Debug and save the policy, as shown in the image.
Reproduce the issue and gather a diagnostic bundle
When the debug level is configured wait till the state of High CPU happens on the system or manually reproduce the conditions previously identified and then gather the diagnostic bundle.
In order to collect the bundle navigate to C:\Program Files\Cisco\AMP\X.X.X (Where X.X.X is the latest AMP version installed on the system) and run the application ipsupporttool.exe this process creates a .7z file on the desktop named CiscoAMP_Support_Tool_%date%.7z
Make the analysis
There are two ways to analyze a diagnostic file:
- Diag_Analyzer.exe
- Amphandlecount.ps1
Diag_Analyzer.exe
Step 1. Download the application here.
Step 2. In the GitHub page, there is a README file with further instructions on usage.
Step 3. Copy the diagnostic file CiscoAMP_Support_Tool_%date%.7z on the same folder that Diag_Analyzer.exe is located.
Step 4. Execute the application Diag_Analyzer.exe.
Step 5. In the new prompt confirm if you want to get the exclusions from the policy with a Y or an N.
Step 6. The script result contains:
- Top 10 Processes
- Top 10 Files
- Top 10 Extensions
- Top 100 Paths
- All files
Amphandlecount.ps1
Step 1. Download the script amphandlecounts.txt from the bottom of this community post Review Scanned Files from AMP.
Step 2. In order to run the script in Windows, rename it to amphandlecount.ps1.
Step 3. For convenience copy amphandlecount.ps1 file to a folder of his own.
Step 4. Unzip the CiscoAMP_Support_Tool_%date%.7z file and identify the sfc.log's files on the path CiscoAMP_Support_Tool_2019_06_13_18_26_37\Program Files\Cisco\AMP\X.X.X .
Step 5. Copy the sfc.log's files on the amphandlecount.ps1 folder.
Step 6. Run amphandlecount.ps1 with PowerShell, then a window is opened and depending on the execution policy on the endpoint can ask for permission to run.
Step 7. Allow the PowerShell to finish (It might take some time, depending on how many sfc.log are in the folder) after the PowerShell finish, four files are created on the folder:
- data.csv
- results.txt
- sorted_results.txt
- terms.txt
Step8. The 4 new files contain the result of the analysis:
- data.csv: contains the full path of the files scanned and the father process which created/modified/moved the file
- results.txt: contains the list of processes that are scanned by AMP
- sorted_results.txt: contain the list of processes that are scanned by AMP with the most scanned process
- terms.txt: contains the name of processes scanned by AMP
Step 9. Filter the process name with high counts from the sorted_results.txt in the data.csv you can identify the parent process with its full path, and then proceed to add an exclusion to the policy in a custom list if it is trusted.
Processes to look:
- Cntrl + F on "data.csv" and search
- Path of the file scanned by AMP
- Path of the parent process that copy/moved/modified the file
Tune Exclusions
Once the processes or paths are identified, you can add them to the exclusion list that is linked to the policy applied on the endpoint, navigate to Management > Exclusions > Exclusion name > Edit, as shown in the image.
Submit the bundle for analysis to TAC
ATS TAC can help to troubleshoot these scenarios, if that is the case, please be ready to provide the next information upon case creation:
-
When does this issue start?
-
Is there any recent change?
-
Does the issue happen with a particular application?
-
If yes, which application?
-
-
Is there other Antivirus on the system?
- If yes, which antivirus?
- Collect a debug bundle while the issue is reproduced:
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)