Today I had a strange problem regarding one of our IIS web servers. I had a complainant about some web applications that were having really bad performance. Note that the IIS was running under Windows Server 2008 R2 and protected with Microsoft Forefront Endpoint Protection. In such situations you would normally establish a RDP connection with the problematic server and check it’s performance. From the beginning I’ve seen that the RDP was working really slow and I could barely open Task Manager.
I then switched to the Performance tab in Task Manager and saw that the CPU was running at 100% capacity. One of the running processes caught my eye because it was constantly eating more than 50% of the processor’s capacity. The name of the executable was MsMpEng.exe which is the Microsoft Antimalware Service:
I know that this service is used by Microsoft FEP for protecting users from malware and other potentially unwanted software but, didn’t knew what was causing this behavior. I’ve tried using Process Explorer utility to analyze the problem but, didn’t helped too much. My salvage came when I used Process Monitor (by Sysinternals) to see what was going on behind this process. The antivirus software was trying to access the ServerManager.log and was locking the file:
This process was done over and over again so the CPU was constantly working at 100 percent. I’ve then added the path of the log file in the excluded file and locations section and the problem was finally fixed:
Now, when I open Task Manager, the overall CPU usage is in good parameters:
I’ve read about this problem over the Internet and some users were suggesting adding the following paths to the excluded files and location section:
C:\ProgramData\Microsoft\Microsoft Forefront Endpoint Protection 2010 Server Management
C:\Program Files\Microsoft Security Client\MsMpEng.exe
Note that these solutions didn’t worked in my situation and only adding the ServerManager.log file to the exclusion range fixed my problem. The same fixes can be applied to Microsoft Security Essentials running on Windows Desktop versions.
Hope you’ll find this article useful, for any misunderstandings post a comment in our dedicated section and I will try to respond as soon as possible. Don’t forget to enjoy your day and stay tuned for the following articles from IT training day.