McAfee Enterprise Threat Protection (mfetpd) is killing EC2 instances

Problem:

Excessive CPU and memory use by McAfee mfetpd causes the EC2 instance to hang.


Symptoms:

System web services may become unresponsive; Additionally, SSH logins may hang after presenting the logon banner.


Cause:

Unknown: Some component within the McAfee Enterprise Threat Protection suite is miscalibrating itself to the hardware available on the local host, causing the kernel to (apparently) hang in swap and memory management.


Solution:

One or both of the following changes seems to resolve the issue.  (Those who are more risk-averse should probably use both.)


Method 1: Add a swapfile to provide some buffer in the event of memory overload events:

[email protected]:~$ sudo dd if=/dev/zero of=/.swap0 bs=1024 count=1024000 # 1 GiB swap file
1024000+0 records in
1024000+0 records out
1048576000 bytes (1.0 GB, 1000 MiB) copied, 13.4419 s, 78.0 MB/s
[email protected]:~$ sudo chmod go-rwx /.swap0
[email protected]:~$ sudo mkswap /.swap0
Setting up swapspace version 1, size = 1000 MiB (1048571904 bytes)
no label, UUID=f0034840-f355-449c-8e52-59ee9b2c807d
[email protected]:~$ echo '/.swap0 swap swap none 0 0' | sudo tee -a /etc/fstab
/.swap0 swap swap none 0 0
[email protected]:~$ sudo swapon -a
[email protected]:~$ cat /proc/swaps
Filename                                Type            Size    Used    Priority
/.swap0                                 file            1023996 256     -2


Method 2: Encourage the kernel not to swap memory to disk.

[email protected]:~$ echo 'vm.swappiness=0' | sudo tee -a /etc/sysctl.conf
vm.swappiness=0
[email protected]:~$ sudo sysctl -p
...
vm.swappiness = 0

We have also reached out to McAfee support to determine if there is an identified root cause for this issue, and will update this technote if they provide any insight.

Resolveu o seu problema?