Proxy SG High CPU in some process

I need a solution

Hi, good day.

Our customers have a problem with the proxy SG. the status health monitoring is Warning sometimes Critical.

if detail check the health monitoring Warning or Critical is by CPU which high in some process.

i already following the instruction from symantec portal, but did not solved the problem.

below the KB from symantec portal.




cause when im look the CPU Utilization, CPU high cause some process like


2. HTTP and FTP

3. Policy evaluation

Whether the process is normal ? i also attach CPU Statistics and Health Statistics

Best Regards

Indra Pramono



  • No Related Posts

7022512: Security Vulnerability: “Meltdown” and “Spectre” side channel attacks against modern CPUs.

Following three attacks have been identified:

  • CVE-2017-5753: Local attackers on systems with modern CPUs featuring deep instruction pipe-lining could use attacker controllable speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys and other secrets.

This problem is mitigated by adding speculative fencing on affected code paths throughout the Linux kernel. It needs to be addressed for all SUSE Linux Enterprise processor architectures, Intel and AMD x86_64, IBM Power, IBM Z and 64-bit ARM.

  • CVE-2017-5715: Local attackers on systems with modern CPUs featuring branch prediction could use mis-predicted branches to speculatively execute code patterns that in turn could be made to leak other non-readable content in the same address space, an attack similar to CVE-2017-5753.

This problem is mitigated by disabling predictive branches, depending on CPU architecture either by firmware updates and/or fixes in the user-kernel privilege boundaries.

Mitigation is done with help of Linux Kernel fixes on the Intel/AMD x86_64 and IBM Z architectures. On x86_64, this requires also updates of the CPU microcode packages, delivered in separate updates.

SUSE has shipped microcode updates for Intel and AMD processors that supply control of the “indirect branch speculation” feature, please also check your CPU and hardware vendors firmware / BIOS download pages for updates.

For IBM Power and IBM Z the required firmware updates are supplied over regular channels by IBM.

As this feature can have a performance impact, it can be disabled using the “nospec” kernel command line option on x86_64 and “nobp” on IBM Z.

  • CVE-2017-5754: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use code patterns in userspace to speculative executive code that would read otherwise read protected memory, an attack similar to CVE-2017-5753.

This problem is mitigated by unmapping the Linux Kernel from the user address space during user code execution, following a approach described in the “KAISER” paper.

The terms used here are “KAISER” / “Kernel Address Isolation” and “PTI” / “Page Table Isolation”.

The update does this on the Intel x86_64 and IBM Power architecture. Updates are also necessary for the ARM architecture, but will be delivered in the second round of updates.

This feature can be enabled / disabled by the “pti=[on|off|auto]” or “nopti” command line options. More details can be found in the “Additional information” section.


  • No Related Posts

Are the {symap,symev}*ko compatible with RHEL Real-time kernel

I need a solution

We have RHEL 7.2 and 7.3 running  with Real-Time kernel.  when install SEP on RHEL 7.2, the installer detects the pre-built kernel modules & hangs at the AP module stage.  A rcoldboot was needed to restart the system, but it hangs during bootup.  After disabling the autoprotect service (in rescue mode), the system does boot correctly with the real-time kernel.

with RHEL 7.3, the symap,symev kernel modules isn’t detected & was compiled manually & the modules are loaded & system hangs.  same procedure as above was needed to boot the system.

Are there updated versions of symap and symev, that’s compatible with RHEL real-time kernel?