Knowledge Center

Enabling Endpoint Security Firewall 'Treat match as intrusion', or 'Log matching traffic' logging options, might cause high CPU usage
Technical Articles ID:   KB90177
Last Modified:  6/21/2019


McAfee Endpoint Security (ENS) Firewall 10.x


High CPU usage might occur with McAfee processes on systems that use ENS, and where the Treat match as intrusion or the Log matching traffic option is enabled on Firewall rules that generate many events. Examples of such rules include DENY ALL or ALLOW ALL, and the McAfee processes might include MFEVTPS.EXE and MFEESP.EXE.

The Event Viewer for the Windows Application Event Log might show a high number of Event ID 3xxxx entries for the source McAfee Endpoint Security. The entries contain details such as:
  • EventID=35000
    An access from <IP_address> matched the rule <firewall_rule_name> and was Allowed.
  • EventID=35001
    An access from <IP_address> matched the rule <firewall_rule_name> and was Allowed.
  • EventID=35002
    An access from <IP_address> violated the rule <firewall_rule_name> and was Blocked.


If you enable these logging options in Firewall rules that trigger much event activity, it might cause performance issues. So, enable the logging options only on Firewall rules that do not generate a high number of events. If you encounter this scenario and disable the logging options on a Firewall rule that triggers many events, it might take time to flush the backlog of events before you see the CPU usage decrease.

Rate this document


This article is available in the following languages:

English United States
Spanish Spain

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.