Knowledge Center

Enabling Endpoint Security Firewall 'Treat match as intrusion', or 'Log matching traffic' logging options, might cause high CPU usage
Technical Articles ID:   KB90177
Last Modified:  1/9/2018


McAfee Endpoint Security (ENS) Firewall 10.x


High CPU usage might occur with McAfee processes, such as MFEVTPS.EXE and MFEESP.EXE, on systems that use ENS, where the Treat match as intrusion or the Log matching traffic option is enabled, on Firewall rules that generate a high number of events. Examples of such rules include DENY ALL or ALLOW ALL.

The Event Viewer for the Windows Application Event Log might show a high number of Event ID 3xxxx entries, for the source McAfee Endpoint Security. The entries contain details such as:
  • EventID=35000
    An access from <IP_address> matched the rule <firewall_rule_name> and was Allowed.
  • EventID=35001
    An access from <IP_address> matched the rule <firewall_rule_name> and was Allowed.
  • EventID=35002
    An access from <IP_address> violated the rule <firewall_rule_name> and was Blocked.


If you enable these logging options in Firewall rules that trigger lots of event activity, it might cause performance issues. So, enable the logging options only on Firewall rules that do not generate a high number of events. If you encounter this scenario, and disable the logging options on a Firewall rule triggering a high number of events, it might take some time to flush out the backlog of events, before you see the CPU usage decrease.

Rate this document

Beta Translate with

Select a desired language below to translate this page.


This article is available in the following languages:

English United States

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.