We've been having an issue with one of our XG firewalls spiking their CPU usage for 20 minutes at a time to 100%. By the time we got the alert from SFM it was too late to catch it. But today we managed to see what was happening because it's happening a LOT more.
The "avd" process is taking up the CPU during these spikes. We're seeing a lot of random 0x files in the /tmp folder being referenced by the avd.log file. For example, /tmp/0x1ffbHk8 and /tmp/0x1fvPO1J.
Here's a snippet from the avd.log file:
2017-11-16 14:23:26 :[INFO] 99 thread_event_handler: Client fde 0x1650b3d8
2017-11-16 14:23:26 :[INFO] 4 sophos__scanfile: SweepFile(/tmp/0x15Bbjv4)
2017-11-16 14:23:27 :[INFO] 4 sophos__scanfile: File scan result : 0
2017-11-16 14:23:27 :[INFO] 4 sophos__scanfile: send_file_to_sandbox : 0
2017-11-16 14:23:27 :[INFO] 99 thread_event_handler: Client fde 0x1650b3d8
2017-11-16 14:23:27 :[INFO] 5 sophos__scanfile: SweepFile(/tmp/0x15Bbjv4)
2017-11-16 14:23:27 :[INFO] 5 sophos__scanfile: File scan result : 0
2017-11-16 14:23:27 :[INFO] 5 sophos__scanfile: send_file_to_sandbox : 0
2017-11-16 14:23:27 :[INFO] 99 thread_event_handler: Client fde 0x1650b3d8
This creates a noticable disruption to the client's network. The bandwidth is completely normal during these times. This seems to be a fairly recent issue and we're still on the same firmware (16.05.5 MR-5) that we've been on for a while, although I am planning to update it soon.
Any ideas?
This thread was automatically locked due to age.
