Sunday, July 15, 2007

High processor utilization after SBS2003 Service Pack 1 installed

Recently we upgraded an SBS 2003 Standard system to Service Pack and everything went well until the following day when we received all these processor idle time warnings. When we logged in we found that indeed the processor usage was averaging above 50%. Hmmm.. we looked at the task manager and found that the process “System” was consuming an abnormal amount of processors time.

We then loaded processor monitor from sysinternals, which showed all the processes that form part of system, to help us determine where the problem lay. We didn't install the Microsoft debugging tools like you are supposed to so we couldn't really identify where the issue lay. Hmmm..most likely some sort of system drive needed updating.

We had updated the system BIOS before performing the Service Pack upgrade so it couldn't be that. Our thoughts turned to the hard disk drivers being the next most likely option. When we looked at the HP drivers site for the server we were confused as to exactly what disk drivers the server had. We became hesitant about applying these sort of driver updates remotely. Hmmm...

After a little more contemplation we got the feeling that this issue was remarkably like another we had seen previously. A while back we saw issues where an SBS2003 server would slow to a crawl when it had Etrust 7.X installed. That little bug took us over 6 months to solve. The problem turned out to be an update of the Etrust realtime drivers. These updates can be found here.

We then checked the dates on the realtime CA files, INO_FLTR.SYS and INO_FLPY.SYS files located in the WINNT\SYSTEM32\DRIVERS directory and they were pretty old. Thinking that updating these was a good first step we downloaded the realtime updates from the CA web site and applied them to the SBS 2003 server. Of course applying the updates required the server to be reboot ( what doesn't these days?).

After the reboot, guess what? The processor activity returned to normal. Who ever thought that such small files can cause problems but we suppose when you consider that any realtime antivirus works at a pretty low level most of the time on a server, it makes sense that old realtime files can cause problems.

So in summary, if you are seeing high processor activity on a SBS 2003 server with Etrust V7.X antivirus installed, our advice is to try applying the realtime updates first (you'll need to reboot your server for them to take effect).