Loading...

Knowledge Center


High CPU utilization with lsass.exe and RSSensor.exe processes after installing the Rogue Sensor on a client
Technical Articles ID:   KB81168
Last Modified:  1/22/2018

Environment

McAfee Rogue System Detection (RSD) 5.x

Problem

You see high CPU utilization with both the lsass.exe and RSSensor.exe processes after installing the Rogue Sensor on a client.

When ending the RSSensor.exe process through Task Manager, the CPU utilization reduces on lsass.exe.

Specifically, this issue has been seen on Domain Controllers with the following settings configured within the Rogue System Detection policy on the Detection tab:
  • DHCP Monitoring is enabled
  • Device Details Detection is enabled
  • Run OS detection only against devices on these networks is selected but either no networks have been included, or a network was included that contains no DHCP server but is accessible from the Domain Controller on which the sensor is installed

Problem

You see many repeated occurrences of Event ID 36886 in the System Log within Windows Event Viewer, sometimes as many as 10 every second.
 
Event id 36886: No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the Internet information server, are not affected by this.

Cause

The Rogue System Detection policy is configured with invalid networks added within the Device Detection Details page.

Solution

If you experience this issue, log on to the ServicePortal and create a Service Request at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR. Include this article number in the Problem Description field.

Workaround

Modify the Device Detection Details settings for the Rogue System Detection policy to ensure the following is true:
  • Select the option to Use OS detection on all networks to determine detailed device information.
  • If the option Run OS detection only against devices on these networks is selected, ensure there are valid networks added to the list just below this option.
  1. Log on to the ePO console.
  2. Click Menu, Policy, Policy Catalog.
  3. Select Rogue System Detection from the Product drop-down list.
  4. Click the policy used in your environment for Domain Controllers configured for DHCP monitoring.
     
    NOTE: If there are multiple policies that meet this criteria, you must repeat the following steps for each policy.
  5. Click the Detection tab.
  6. If you use the Run OS detection only against devices on these networks option, remove any invalid networks from the list right below this option. Additionally, ensure there is at least one valid network specified that is accessible by the computer to which you have the sensor installed.
  7. Click Save.
  8. Send an agent wake-up call to your sensor computers.
     
    NOTE: After applying the policy to the sensor, you might have to restart the RSD sensor service.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.