This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Seeing 100% CPU utilized from "avd" process and a lot of 0x files in /tmp

We've been having an issue with one of our XG firewalls spiking their CPU usage for 20 minutes at a time to 100%. By the time we got the alert from SFM it was too late to catch it. But today we managed to see what was happening because it's happening a LOT more.

The "avd" process is taking up the CPU during these spikes. We're seeing a lot of random 0x files in the /tmp folder being referenced by the avd.log file. For example, /tmp/0x1ffbHk8 and /tmp/0x1fvPO1J.

Here's a snippet from the avd.log file:

2017-11-16 14:23:26 :[INFO] 99 thread_event_handler: Client fde 0x1650b3d8
2017-11-16 14:23:26 :[INFO] 4 sophos__scanfile: SweepFile(/tmp/0x15Bbjv4)
2017-11-16 14:23:27 :[INFO] 4 sophos__scanfile: File scan result : 0
2017-11-16 14:23:27 :[INFO] 4 sophos__scanfile: send_file_to_sandbox : 0
2017-11-16 14:23:27 :[INFO] 99 thread_event_handler: Client fde 0x1650b3d8
2017-11-16 14:23:27 :[INFO] 5 sophos__scanfile: SweepFile(/tmp/0x15Bbjv4)
2017-11-16 14:23:27 :[INFO] 5 sophos__scanfile: File scan result : 0
2017-11-16 14:23:27 :[INFO] 5 sophos__scanfile: send_file_to_sandbox : 0
2017-11-16 14:23:27 :[INFO] 99 thread_event_handler: Client fde 0x1650b3d8

This creates a noticable disruption to the client's network. The bandwidth is completely normal during these times. This seems to be a fairly recent issue and we're still on the same firmware (16.05.5 MR-5) that we've been on for a while, although I am planning to update it soon.

Any ideas?

This thread was automatically locked due to age.

0 lukg over 7 years ago

1. Upgrade to MR-8

2. Check your AV scanning settings in WEB - Protection - MALWARE Scanning

You could try to limit the size of files you are scanning

3. If still an issue contact support
Cancel
Vote Up 0 Vote Down

Cancel
0 onward over 6 years ago

running into same problem on XG115w_XN02_SFOS 17.5.0 GA. Only noticed the cpu issue because it's causing a RED tunnel to have severe packet loss and disconnects for around 30 minutes:

avd.log:
2019-01-24 09:20:27 :[INFO] 3 on_error_found: SAVI detected an error. Continuing with the next stream (CONTINUE_NEXT)
2019-01-24 09:20:27 :[INFO] 3 sophos__scanfile: File /sdisk/tmp/0x1Ylla6W scan result : 0x80040210
2019-01-24 09:20:27 :[INFO] 3 sophos__scanfile: Scanning file /tmp/0x1MUXlJQ (context=HTTP) ...
2019-01-24 09:20:27 :[INFO] 3 sophos__scanfile: File /tmp/0x1MUXlJQ scanned okay
2019-01-24 09:20:27 :[INFO] 3 sophos__scanfile: Scanning file /tmp/0x12Grwh5 (context=HTTP) ...
2019-01-24 09:20:27 :[INFO] 3 sophos__scanfile: File /tmp/0x12Grwh5 scanned okay
2019-01-24 09:20:27 :[INFO] 3 sophos__scanfile: Scanning file /tmp/0x1leeqWU (context=HTTP) ...
2019-01-24 09:20:27 :[INFO] 3 sophos__scanfile: File /tmp/0x1leeqWU scanned okay
2019-01-24 09:20:27 :[INFO] 3 sophos__scanfile: Scanning file /sdisk/tmp/0x1ObPgHd (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /sdisk/tmp/0x18n3AET scanned okay
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /tmp/0x1XhDxCX (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /tmp/0x1XhDxCX scanned okay
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /tmp/0x1XFaTSb (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /tmp/0x1XFaTSb scanned okay
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /tmp/0x1qPGIT4 (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /tmp/0x1qPGIT4 scanned okay
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /tmp/0x1rucOsL (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /tmp/0x1rucOsL scanned okay
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /sdisk/tmp/0x10Gg4Yi (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 on_error_found: SAVI detected an error. Continuing with the next stream (CONTINUE_NEXT)
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /sdisk/tmp/0x10Gg4Yi scan result : 0x80040210
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /sdisk/tmp/0x1qLqefb (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 on_error_found: SAVI detected an error. Continuing with the next stream (CONTINUE_NEXT)
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /sdisk/tmp/0x1qLqefb scan result : 0x80040210
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /sdisk/tmp/0x1OR06aR (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 on_error_found: SAVI detected an error. Continuing with the next stream (CONTINUE_NEXT)
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /sdisk/tmp/0x1OR06aR scan result : 0x80040210
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /tmp/0x1bWeWbt (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /tmp/0x1bWeWbt scanned okay
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /tmp/0x1hP3GQ7 (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /tmp/0x1hP3GQ7 scanned okay
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /tmp/0x1vu0qEc (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /tmp/0x1vu0qEc scanned okay
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /tmp/0x1zOxBKg (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /tmp/0x1zOxBKg scanned okay
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /tmp/0x1SNPcGW (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /tmp/0x1SNPcGW scanned okay
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /sdisk/tmp/0x1NhAlGv (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /sdisk/tmp/0x1NhAlGv scanned okay
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /tmp/0x1jI2UK9 (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /tmp/0x1jI2UK9 scanned okay
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /sdisk/tmp/0x1eDcAw9 (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /sdisk/tmp/0x1eDcAw9 scanned okay
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /tmp/0x1WHdgPQ (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /tmp/0x1WHdgPQ scanned okay
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /sdisk/tmp/0x1z40gGC (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /sdisk/tmp/0x1z40gGC scanned okay
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /tmp/0x1bWeWbt (context=HTTP) ...
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: File /tmp/0x1bWeWbt scanned okay
2019-01-24 09:20:48 :[INFO] 2 sophos__scanfile: Scanning file /tmp/0x1jNilX8 (context=HTTP) ...
2019-01-24 09:20:49 :[INFO] 2 sophos__scanfile: File /tmp/0x1jNilX8 scanned okay
2019-01-24 09:20:49 :[INFO] 2 sophos__scanfile: Scanning file /sdisk/tmp/0x1pgrYgi (context=HTTP) ...
2019-01-24 09:22:18 :[INFO] 7 sophos__scanfile: File /sdisk/tmp/0x1rELiU8 scanned okay
2019-01-24 09:22:18 :[INFO] 7 sophos__scanfile: Scanning file /tmp/0x1jNilX8 (context=HTTP) ...
2019-01-24 09:22:18 :[INFO] 7 sophos__scanfile: File /tmp/0x1jNilX8 scanned okay
2019-01-24 09:22:18 :[INFO] 7 sophos__scanfile: Scanning file /tmp/0x1LwHIYy (context=HTTP) ...
2019-01-24 09:22:18 :[INFO] 7 sophos__scanfile: File /tmp/0x1LwHIYy scanned okay
2019-01-24 09:22:18 :[INFO] 7 sophos__scanfile: Scanning file /tmp/0x1n5XEx9 (context=HTTP) ...
2019-01-24 09:22:18 :[INFO] 7 sophos__scanfile: File /tmp/0x1n5XEx9 scanned okay
2019-01-24 09:22:18 :[INFO] 7 sophos__scanfile: Scanning file /tmp/0x1Eq2y0l (context=HTTP) ...
2019-01-24 09:22:18 :[INFO] 7 sophos__scanfile: File /tmp/0x1Eq2y0l scanned okay
2019-01-24 09:22:18 :[INFO] 7 sophos__scanfile: Scanning file /tmp/0x1XhDxCX (context=HTTP) ...
2019-01-24 09:22:18 :[INFO] 7 sophos__scanfile: File /tmp/0x1XhDxCX scanned okay
2019-01-24 09:22:18 :[INFO] 7 sophos__scanfile: Scanning file /tmp/0x1AOBbBt (context=HTTP) ...
2019-01-24 09:22:18 :[INFO] 7 sophos__scanfile: File /tmp/0x1AOBbBt scanned okay
2019-01-24 09:22:18 :[INFO] 7 sophos__scanfile: Scanning file /sdisk/tmp/0x1uPFTol (context=HTTP) ...
2019-01-24 09:24:17 :[INFO] 4 sophos__scanfile: File /sdisk/tmp/0x1ZoSwHM scanned okay
2019-01-24 09:24:17 :[INFO] 4 sophos__scanfile: Scanning file /tmp/0x1DU7Aom (context=HTTP) ...
2019-01-24 09:24:17 :[INFO] 4 sophos__scanfile: File /tmp/0x1DU7Aom scanned okay
2019-01-24 09:24:17 :[INFO] 4 sophos__scanfile: Scanning file /sdisk/tmp/0x1TyAfIL (context=HTTP) ...
2019-01-24 09:24:17 :[INFO] 4 on_error_found: SAVI detected an error. Continuing with the next stream (CONTINUE_NEXT)
2019-01-24 09:24:17 :[INFO] 4 sophos__scanfile: File /sdisk/tmp/0x1TyAfIL scan result : 0x80040210
2019-01-24 09:24:17 :[INFO] 4 sophos__scanfile: Scanning file /sdisk/tmp/0x1VhtPUR (context=HTTP) ...
2019-01-24 09:24:17 :[INFO] 4 on_error_found: SAVI detected an error. Continuing with the next stream (CONTINUE_NEXT)
2019-01-24 09:24:17 :[INFO] 4 sophos__scanfile: File /sdisk/tmp/0x1VhtPUR scan result : 0x80040210
2019-01-24 09:24:17 :[INFO] 4 sophos__scanfile: Scanning file /tmp/0x15RkBvo (context=HTTP) ...
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: File /tmp/0x15RkBvo scanned okay
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: Scanning file /tmp/0x1MLQfml (context=HTTP) ...
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: File /tmp/0x1MLQfml scanned okay
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: Scanning file /tmp/0x1VppXv0 (context=HTTP) ...
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: File /tmp/0x1VppXv0 scanned okay
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: Scanning file /tmp/0x1idL1uY (context=HTTP) ...
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: File /tmp/0x1idL1uY scanned okay
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: Scanning file /tmp/0x1fROVaF (context=HTTP) ...
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: File /tmp/0x1fROVaF scanned okay
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: Scanning file /sdisk/tmp/0x1w3lVyv (context=HTTP) ...
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: File /sdisk/tmp/0x1w3lVyv scanned okay
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: Scanning file /tmp/0x1dSIVa7 (context=HTTP) ...
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: File /tmp/0x1dSIVa7 scanned okay
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: Scanning file /tmp/0x1yiFvwg (context=HTTP) ...
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: File /tmp/0x1yiFvwg scanned okay
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: Scanning file /tmp/0x1WHdgPQ (context=HTTP) ...
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: File /tmp/0x1WHdgPQ scanned okay
2019-01-24 09:24:18 :[INFO] 4 sophos__scanfile: Scanning file /tmp/0x1XFaTSb (context=HTTP) ...
2019-01-24 09:24:19 :[INFO] 4 sophos__scanfile: File /tmp/0x1XFaTSb scanned okay
2019-01-24 09:24:19 :[INFO] 4 sophos__scanfile: Scanning file /sdisk/tmp/0x1e8RpgR (context=HTTP) ...
2019-01-24 09:24:19 :[INFO] 4 sophos__scanfile: File /sdisk/tmp/0x1e8RpgR scanned okay
2019-01-24 09:24:19 :[INFO] 4 sophos__scanfile: Scanning file /tmp/0x1SRArce (context=HTTP) ...
2019-01-24 09:24:19 :[INFO] 4 sophos__scanfile: File /tmp/0x1SRArce scanned okay
2019-01-24 09:24:19 :[INFO] 4 sophos__scanfile: Scanning file /sdisk/tmp/0x1wKwCXm (context=HTTP) ...

these were relevant options selected in a lan>>wan firewall rule:

avd cpu still remained at 90-99% after disabling all of these options and saving the rule.

trying to stop the antivirus service from the system services >> services gui resulted in "The operation will take time to complete. The status can be viewed from the "Log viewer" page"

gui still showed the antivirus service is "running" but cpu eventually went back to normal.

Any ideas?
Cancel
Vote Up 0 Vote Down

Cancel
0 onward over 6 years ago in reply to onward

after updating from 17.5 to 17.5.1 MR-1, avd is no longer consuming all the cpu but now garner is in its place and still again resulting in RED tunnel packet loss:

excessive cpu usage continues after stopping antivirus service from the gui or restarting garner service from cli via service garner:restart -ds nosync, and disabling SFM management.

/log/garner.log has thousands of this line:

sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
sethreshold: DROPPING SE
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to onward

Garner is for reporting (most likely).

This Service should "calm down" after couple of minutes.

Use atop to monitor this situation and post again.
Cancel
Vote Up 0 Vote Down

Cancel
0 Timothy Ford over 6 years ago in reply to onward

We're seeing this exact same behavior. We could barely even log into our xg135 for 3 hours. Seems like it has calmed down for now, but still getting spikes. Upgrading to 17.5 this evening to see if it helps. We've got about 30 users on an XG135 and no remote VPN users.
Cancel
Vote Up 0 Vote Down

Cancel