VMware Horizon Community
JaceJ
Enthusiast
Enthusiast

High Idle CPU killing VDI environment (McAfee)

So I have 2 data centers  One Primary and a secondary which has a few users on it.  Identical farms of 4 hosts.  Recently we've been seeing high idle vm cpu usage and after a bit of troubleshooting we ran pslist -s against idle vms and found mcShield taking 33%+ cpu on the systems consistently, vcenter shows the vm consuming at minimum 2.2Ghz cpu while idle.  As soon as I use console to log into one of these systems the cpu drops to standard usage about 300-500Mhz and remains this way while logged in.  If I lock the workstation and continue to monitor the cpu utilization doesn't change.   Then we log out of the VM and cpu jumps right back up to  the 2.2+Ghz consumed range.  

We have tried rebuilding our VMs from scratch after our security team asked us to run some additional debuging and found vmtools was doing alot WMI chatter.  We found removing vmware tools for a clean install to be a problem as it drops into a blue screen crash cycle requiring us to revert to snap shot.

VMs are running Windows 7

MCafee agent is 5.x  Virusscan is 8.8 Patch 9

For reference I have one parent template with Mcafee Agent and Antivirus installed and a second without any mcafee products on its clear some Mcafee policy appears to be the cause.

Any  suggestions?

Reply
0 Kudos
3 Replies
cgrubbe
Enthusiast
Enthusiast

Not a McAfee user, but we do have Symantec Endpoint Protection and it likes to run processes when the machines are idle.  No user logged in and it will run scans, as soon as you login it suspends until the machine is idle again.

Reply
0 Kudos
epa80
Hot Shot
Hot Shot

I would highly recommend looking into Deep Security from Trend Micro, which is a host based solution for Anti-Malware (as well as other security suites). We were a SEP11 shop yars ago and found that having the client locally installed just absolutely hammered our environment. We had about 1500 VMs split across 2 data centers. The switch for us to Deep Security was like night and day. We now sit with about 9,000 VMs split across the 2 DCs and they are chugging along just fine.

In a nutshell nothing is installed locally on the guests. All that you have to enable is a driver within the VMware tools installation. Relieving the guests of a local install is a huge boost in performance. All of the protection is done from the host in conjunction with VMware's vShield/NSX suite.

Symantec and McAfee MAY offer a host based solution as well, and perhaps even the McAfee you're running is, I'm just familiar with Trend Micro's product.

Reply
0 Kudos
JaceJ
Enthusiast
Enthusiast

McAfee MOVE is the product they have.  and there are 2 flavors.  One uses an offloaded scanning server to do all the work but introduces horrible latency when users attempt to open files.  The other is similar to Deep Security as a host based solution.  This is the eventual way we are moving but waiting on an upgrade of the E-policy server before we start testing. 

Long term I'd love to move away from McAfee all together as I have not been a fan.

That being said we think we found a work around for now which has helped alleviate the problem.

Remove VMware agents, Remove Mcaffee Agent and Virus scan.

Reinstall agents in the proper order.  Note we had this done already but started clean none the less

  Installation order of End User Computing Agents for User Environment Manager (UEM) and App Volumes (...

Reinstall McAfee agent with the enableVDImode switch

Reinstall Virusscan.

Additionally we switched way from using composer clones and to Instant Clones as we had been using Instant clones for a while with good success and it allows us to resize our pools to have less spare systems as spinning up new systems is quick and relatively painless.

Reply
0 Kudos