2019-06-03 22:20:05, Info CSI 0000255d [SR] Verify complete I am also seeing my download speed slowly decline (drops roughly 50% every 2-3 hours after restart). I've got a 2010 Dell Studio laptop, Intel processor, 4GB ram, 320 GM hard drive (180 GB consumed)running Win 7 and IE 11that is giving me CPU usage problems. 2019-06-03 22:11:48, Info CSI 000008ef [SR] Verifying 100 components 2019-06-03 22:15:13, Info CSI 000013ab [SR] Verify complete Please follow the steps in the link below to check if it fixes the system concern. It could be the Dell really has really horrible internet ethernet. 2019-06-03 22:17:05, Info CSI 00001ac3 [SR] Verify complete Secureworks' Red Cloak TDR software applies a variety of machine and deep learning techniques to a vast network of data, making it easier to find hard-to-detect threats across an entire IT landscape. 2019-06-03 22:28:06, Info CSI 0000451d [SR] Verifying 100 components The file will not be moved. If I shut down all applications before the CPU gets totally consumed then the demand of the little services will slowly return to normal (30-60 minutes). 2019-06-03 22:12:02, Info CSI 00000a23 [SR] Verify complete Not as ideal as 25-36mps as before, but better than 3Mbps. 2019-05-31 08:59:27, Info CSI 0000000f [SR] Beginning Verify and Repair transaction We found the following screenshots in the log files that explained what was happening. . 2019-06-03 22:09:54, Info CSI 000002d7 [SR] Verifying 100 components The processes that produce excess CPU demand vary. PeerSpot users give Secureworks Taegis ManagedXDR an average rating of 7.6 out of 10. 2019-06-03 22:10:39, Info CSI 0000061c [SR] Beginning Verify and Repair transaction 2019-06-03 22:24:23, Info CSI 00003676 [SR] Verifying 100 components Secureworks CTP Identity Provider Note: [PATH] = The full directory path to where the taegis-agent_[VERSON]_x64.msi file is located. 2019-06-03 22:10:15, Info CSI 00000410 [SR] Verify complete 2019-06-03 22:22:52, Info CSI 00002f17 [SR] Verifying 100 components 2019-06-03 22:23:56, Info CSI 00003466 [SR] Verify complete 2019-06-03 22:16:07, Info CSI 000016bb [SR] Beginning Verify and Repair transaction 2019-06-03 22:18:11, Info CSI 00001e22 [SR] Verifying 100 components 2019-06-03 22:17:58, Info CSI 00001d4c [SR] Beginning Verify and Repair transaction There does seem to be a dependence on which web sites I'm connected to w/IE 11 but even that is not reproducible. Red Cloak software brings advanced threat analytics to thousands of customers, and the Secureworks Counter Threat Platform processes over 300B threat events per day. 2019-06-03 22:12:59, Info CSI 00000cdb [SR] Verify complete 2019-06-03 22:26:59, Info CSI 000040ea [SR] Verifying 100 components 2019-06-03 22:26:37, Info CSI 00003f9c [SR] Verifying 100 components 2019-06-03 22:20:25, Info CSI 0000266c [SR] Beginning Verify and Repair transaction Save and quit by hitting ESC and typing: :wq! The team always offers solutions adapted to the needs of the client and its implementation is simple and fast. . After SFC is completed, copy and paste the content of the below code box into the command prompt. After putting system permissions back to default, this is what happened next, and an alert was fired off: An additional issue was discovered that to see the above log files you must have enabled verbose logging, which required a system restart to take affect. 2019-06-03 22:20:50, Info CSI 000027b7 [SR] Verifying 100 components I opened a support ticket to review and we started looking at various log files. 2019-06-03 22:12:50, Info CSI 00000c6d [SR] Verifying 100 components 2019-06-03 22:26:59, Info CSI 000040eb [SR] Beginning Verify and Repair transaction Ravi,are you suggestingrunning applications "in pairs" to see if there are interactions that are different in one pair or another? 2019-06-03 22:17:58, Info CSI 00001d4b [SR] Verifying 100 components anyways ServiceHost: sysMain right now is taking up 90% disk usage. Agent starts in debug mode and writes verbose information into the log files. I allow-listed this folder in the other security products in the environment and removed all permissions to the folder except for my testing account, to ensure that a potential attacker could not use my tools against me. We have a keycloak HA setup with 3 pods running in kubernetes environment. Ok thanks for the assistance ;) Here is the first log, ADWcleaner. 2019-06-03 22:28:35, Info CSI 00004729 [SR] Verifying 100 components 2019-06-03 22:22:35, Info CSI 00002ddf [SR] Verify complete . 2019-06-03 22:26:11, Info CSI 00003d9e [SR] Verify complete 2019-06-03 22:23:52, Info CSI 00003401 [SR] Beginning Verify and Repair transaction 2019-06-03 22:20:42, Info CSI 00002744 [SR] Verifying 100 components I assume since I also was involved in all 3 machines, a similar rogue or trojan must be present on this machine as well, as the PC and gateway laptop was resolved. 2019-06-03 22:09:26, Info CSI 0000006e [SR] Beginning Verify and Repair transaction 2019-06-03 22:23:05, Info CSI 0000304d [SR] Beginning Verify and Repair transaction At the same time a degrading download speed (with time)issue resolved. 2019-06-03 22:15:36, Info CSI 000014fc [SR] Verifying 100 components Let the scan complete. 2019-06-03 22:14:27, Info CSI 000010a9 [SR] Verifying 100 components In another run, after 10 hours (at the session time-out instance), the CPU usage spiked above 2000 millicores and pods started crashing. Taegis XDR ingests, enriches, and correlates data from a variety of endpoint, network, cloud and business systems. Any future product, service, feature, benefit or related specification referenced in this press release are for information purposes only and are not commitments to deliver any technology or enhancement. I would suggest you to clean boot the system and enable each application one by one and check the performance as we will be able to identify if there is any conflict between applications. And other times it will bog down within an hour. 2019-06-03 22:12:50, Info CSI 00000c6e [SR] Beginning Verify and Repair transaction 2019-06-03 22:19:56, Info CSI 000024ed [SR] Verify complete 2019-06-03 22:16:02, Info CSI 0000164f [SR] Verifying 100 components 2019-06-03 22:23:21, Info CSI 00003187 [SR] Verifying 100 components Built on proprietary technologies and world-class threat intelligence, our applications and solutions help prevent, detect, and respond to cyber threats. They would not work on the computer because they felt they could not solve a problem that was neither predictable or reproducible. 2019-05-31 08:59:28, Info CSI 00000014 [SR] Beginning Verify and Repair transaction This agent version also allowed logging level changes without restarting. Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens . A blank randomly named notepad file will open. 2019-06-03 22:09:45, Info CSI 0000020a [SR] Beginning Verify and Repair transaction 2019-06-03 22:24:12, Info CSI 000035a5 [SR] Verify complete The hardware seems to be fine. 2019-06-03 22:25:24, Info CSI 00003ab2 [SR] Verify complete 2019-06-03 22:25:37, Info CSI 00003b8c [SR] Verifying 100 components ), AV: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}, ==================== Installed Programs ======================, (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. 2019-06-03 22:15:01, Info CSI 000012dc [SR] Verify complete 2019-06-03 22:24:23, Info CSI 00003677 [SR] Beginning Verify and Repair transaction Running additional tools on your system can interfere with the clean-up process, or cause issues such as false positives. 2019-06-03 22:21:42, Info CSI 00002ab8 [SR] Verifying 100 components memory: 2Gi The computer has been on for 4 hours with no problems but the odds are that sometime today, when I least expect it, things will start to get slow and Performance Monitor will show CPU usage skyrocket. Above shows the error that happened when I had removed all permissions except for my own user account. 2019-06-03 22:28:30, Info CSI 000046c0 [SR] Verify complete 2019-06-03 22:27:52, Info CSI 00004420 [SR] Beginning Verify and Repair transaction 2019-06-03 22:26:17, Info CSI 00003e08 [SR] Verifying 100 components I have not been able to reproducibly create the high CPU usage problem by putting a heavy load on one application or another. The CPU usage increased and there were continuous CPU spikes at every 30 minute interval whenever the refresh token was used to acquire access tokens (30 min access token . 2019-06-03 22:13:17, Info CSI 00000db3 [SR] Verify complete 2019-06-03 22:26:17, Info CSI 00003e09 [SR] Beginning Verify and Repair transaction 2019-06-03 22:20:05, Info CSI 0000255f [SR] Beginning Verify and Repair transaction 2019-06-03 22:17:00, Info CSI 00001a5c [SR] Beginning Verify and Repair transaction limits: These risks and uncertainties include, but are not limited to, competitive uncertainties and general economic and business conditions in Secureworks' markets as well as the other risks and uncertainties that are described in Secureworks' periodic reports and other filings with the Securities and Exchange Commission, which are available for review through the Securities and Exchange Commission's website at www.sec.gov. 2019-06-03 22:11:32, Info CSI 0000081f [SR] Verify complete So far we haven't seen any alert about this product. 2019-06-03 22:25:33, Info CSI 00003b26 [SR] Beginning Verify and Repair transaction 2019-06-03 22:18:41, Info CSI 00001fd2 [SR] Verifying 100 components Running it on another machine may cause damage to your operating system, Virus, Trojan, Spyware, and Malware Removal Help, The Week in Ransomware - March 3rd 2023 - Wide impact attacks, Build an instant training library with this lifetime learning bundle deal, http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/. 2019-06-03 22:22:52, Info CSI 00002f16 [SR] Verify complete 2019-05-31 08:59:31, Info CSI 00000019 [SR] Beginning Verify and Repair transaction Jerry Ryan, VP of IT, We Florida Financial, Stacy Leidwinger, VP of Portfolio Marketing. 2019-06-03 22:22:01, Info CSI 00002bf6 [SR] Verify complete step 2. 2019-06-03 22:24:18, Info CSI 0000360c [SR] Verify complete 2019-06-03 22:09:45, Info CSI 00000209 [SR] Verifying 100 components ), (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default. Dell Laptops all models Read-only Support Forum. 2019-06-03 22:22:57, Info CSI 00002f7d [SR] Verify complete [VERSION] = The version of the .msi installer file [REGISTRATION KEY] = The key that is generated for any group that is created in Endpoint Management > Group Configuration. 2019-06-03 22:14:26, Info CSI 000010a8 [SR] Verify complete 2019-06-03 22:20:59, Info CSI 00002826 [SR] Beginning Verify and Repair transaction 2019-06-03 22:14:05, Info CSI 00000f19 [SR] Verifying 100 components 2019-06-03 22:24:38, Info CSI 0000374b [SR] Verify complete 2019-06-03 22:13:07, Info CSI 00000d46 [SR] Beginning Verify and Repair transaction Creating the log file in the folder structure failed because the system account Red Cloak was using couldnt write to that folder. 2019-06-03 22:25:43, Info CSI 00003bf3 [SR] Verifying 100 components 2019-06-03 22:23:26, Info CSI 000031ee [SR] Verifying 100 components XDR is differentiated by our advanced analytics (machine learning and deep learning), integrated threat intelligence from decades of experience, and the power of our network effect. 2019-06-03 22:24:18, Info CSI 0000360e [SR] Beginning Verify and Repair transaction . ), HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\90114426.sys => ""="Driver", ==================== Association (Whitelisted) ===============, (If an entry is included in the fixlist, the registry item will be restored to default or removed. 2019-06-03 22:23:47, Info CSI 00003398 [SR] Verify complete Solved: CPU usage goes to 100% - Dell Community 2019-06-03 22:12:28, Info CSI 00000b7e [SR] Beginning Verify and Repair transaction 2019-06-03 22:27:20, Info CSI 0000423c [SR] Verifying 100 components Secureworks Red Cloak Endpoint Agent System Requirements. 2019-06-03 22:09:50, Info CSI 0000026f [SR] Verify complete ), CCleaner (HKLM\\CCleaner) (Version: 5.51 - Piriform), ==================== Custom CLSID (Whitelisted): ==========================, CustomCLSID: HKU\S-1-5-21-2329281988-2336120714-2240144410-1001_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> C:\WINDOWS\system32\oleaut32.dll (Microsoft Windows -> Microsoft Corporation), ==================== Shortcuts & WMI ========================, (The entries could be listed to be restored or removed. Before I did the clean reinstall of Win7 last Friday, I did numerous full virus scans (Microsoft Security Essentials)and malware scans (Malwarebytes) and never found anything. 2019-06-03 22:16:24, Info CSI 000017bd [SR] Beginning Verify and Repair transaction 2019-06-03 22:09:22, Info CSI 00000006 [SR] Verifying 100 components Disable one module at a time and start the Red Cloak . The CPU is being used for the cleanup of Integrity Monitoring baselines. 2019-06-03 22:14:48, Info CSI 000011fa [SR] Beginning Verify and Repair transaction . Since then I have replaced that computer. 2019-06-03 22:09:36, Info CSI 0000013c [SR] Beginning Verify and Repair transaction While that is cool and appreciated, there was no bug bounty awarded, etc. 2019-06-03 22:22:57, Info CSI 00002f7e [SR] Verifying 100 components 2019-05-31 08:59:27, Info CSI 0000000e [SR] Verifying 1 components 2019-06-03 22:18:04, Info CSI 00001db5 [SR] Beginning Verify and Repair transaction https://issues.redhat.com/browse/KEYCLOAK-13180 If an entry is included in the fixlist, it will be removed. Disabling it reduced internet , but improved the Disk usage and cpu greatly. I don't know what all is related so here's the story. 2019-06-03 22:14:05, Info CSI 00000f1a [SR] Beginning Verify and Repair transaction Forgot password? Secureworks Red Cloak Threat Detection and Response (TDR) - Adapters | Axonius. 2019-06-03 22:27:44, Info CSI 0000439e [SR] Verify complete 2019-06-03 22:23:38, Info CSI 000032c0 [SR] Verifying 100 components 2019-06-03 22:10:26, Info CSI 000004e4 [SR] Beginning Verify and Repair transaction 2019-06-03 22:13:07, Info CSI 00000d45 [SR] Verifying 100 components 2019-06-03 22:19:19, Info CSI 0000225c [SR] Verify complete 2019-06-03 22:15:19, Info CSI 00001417 [SR] Beginning Verify and Repair transaction by Shroobful. 2019-06-03 22:25:09, Info CSI 00003973 [SR] Verifying 100 components Click on. 2019-06-03 22:19:31, Info CSI 00002336 [SR] Beginning Verify and Repair transaction 2019-06-03 22:24:00, Info CSI 000034cd [SR] Verify complete How to Install the Secureworks XDR Taegis Agent What seems to happen is that something triggers high demand and then every process on the computer joins in. 2019-06-03 22:15:07, Info CSI 00001343 [SR] Verify complete 2019-06-03 22:24:18, Info CSI 0000360d [SR] Verifying 100 components 2019-06-03 22:25:37, Info CSI 00003b8b [SR] Verify complete 2019-06-03 22:24:56, Info CSI 0000388c [SR] Verifying 100 components 2019-06-03 22:15:13, Info CSI 000013ac [SR] Verifying 100 components memory: 768Mi. ), ==================== End of FRST.txt ============================, Additional scan result of Farbar Recovery Scan Tool (x64) Version: 19-05.2019, Administrator (S-1-5-21-2329281988-2336120714-2240144410-500 - Administrator - Disabled), ==================== Security Center ========================, (If an entry is included in the fixlist, it will be removed. 2019-06-03 22:21:36, Info CSI 00002a4d [SR] Verifying 100 components 2019-06-03 22:17:58, Info CSI 00001d4a [SR] Verify complete Available for InfoSec/IT career advice and resume review. If I start in Safe Mode, download speed does not drop with time. 1. 2019-06-03 22:25:33, Info CSI 00003b25 [SR] Verifying 100 components The adware programs should be uninstalled manually. 2019-06-03 22:15:48, Info CSI 00001591 [SR] Verifying 100 components 2019-06-03 22:09:36, Info CSI 0000013b [SR] Verifying 100 components Manage your Dell EMC sites, products, and product-level contacts using Company Administration. 2019-06-03 22:24:32, Info CSI 000036e4 [SR] Verify complete This may take some time. That's why I went through the pain of the Win7 clean install, but it has changed nothing. Secureworks Red Cloak Threat Detection & Response, Secureworks Red Cloak Managed Detection & Response, Windows endpoint agent: v2.0.7.9 and Later, Linux endpoint agent: v1.2.13.0 and Later. I requested a CVE for this issue to help push public awareness, in addition to this blog post, but I am frankly not sure if this meets the criteria for a CVE. 2019-06-03 22:26:25, Info CSI 00003ec5 [SR] Verifying 100 components So you can't point to a single process as the culprit though it's possible that high demand web sites (lots of ads) trigger the problem. 2019-06-03 22:20:25, Info CSI 0000266b [SR] Verifying 100 components 2019-06-03 22:24:38, Info CSI 0000374d [SR] Beginning Verify and Repair transaction ), (If an entry is included in the fixlist, only the ADS will be removed. secureworks = worthless. Problem solved. 2019-06-03 22:24:50, Info CSI 00003825 [SR] Verifying 100 components Knowledge gained from more than 1,000 incident response engagements per year informs the continuously updated threat intelligence and analytics used to recognize malicious activity. Therefore, please remove any, if present, before we begin the clean-up. The speed is back to 9Mbps wifi. I'm going to do some research on that. Since a clean install of the OS did not fix it, I can't understand why installing Win10 fixed it, but there it is. 2019-06-03 22:23:30, Info CSI 00003258 [SR] Beginning Verify and Repair transaction 2019-06-03 22:16:54, Info CSI 000019ed [SR] Beginning Verify and Repair transaction 2019-06-03 22:09:26, Info CSI 0000006c [SR] Verify complete 2019-06-03 22:26:44, Info CSI 00004003 [SR] Verifying 100 components 2019-06-03 22:21:54, Info CSI 00002b8d [SR] Verify complete 2019-06-03 22:25:56, Info CSI 00003ccc [SR] Verifying 100 components Id suggest that you optimize and maintain your computer. 2019-06-03 22:21:13, Info CSI 00002900 [SR] Verify complete Wireless problem has been horrible after "possible Trojan/Rogue software" for a past year. *Update: CVE-201919620 was assigned for this issue.*. 2019-06-03 22:16:07, Info CSI 000016b9 [SR] Verify complete 2019-06-03 22:28:05, Info CSI 0000451c [SR] Verify complete 2019-06-03 22:26:31, Info CSI 00003f30 [SR] Verify complete 2019-06-03 22:25:56, Info CSI 00003ccd [SR] Beginning Verify and Repair transaction 2019-06-03 22:18:41, Info CSI 00001fd1 [SR] Verify complete 2019-06-03 22:14:34, Info CSI 0000111a [SR] Beginning Verify and Repair transaction Sunil Saale, Head of Cyber and Information Security, Minter Ellison. SFC will begin scanning your system for damaged system files. 2019-06-03 22:15:01, Info CSI 000012de [SR] Beginning Verify and Repair transaction The computer is almost 4 years old but I would hate to spend the $$ to replace it and find that the problem is software. 2019-06-03 22:28:39, Info CSI 0000478f [SR] Verify complete 2019-06-03 22:17:00, Info CSI 00001a5b [SR] Verifying 100 components 2019-06-03 22:25:33, Info CSI 00003b24 [SR] Verify complete 2019-06-03 22:27:32, Info CSI 0000430c [SR] Verify complete We ran UMA traffic with 10000 users at about 400 requests/second for around 10 hours. 2019-06-03 22:17:05, Info CSI 00001ac5 [SR] Beginning Verify and Repair transaction Then, I ran Mimikatz successfully and did not receive any alerts from Red Cloak. 2019-06-03 22:20:50, Info CSI 000027b8 [SR] Beginning Verify and Repair transaction Restart Red Cloak service: systemctl restart redcloak. The file will not be moved unless listed separately. 2019-06-03 22:28:39, Info CSI 00004791 [SR] Beginning Verify and Repair transaction Secureworks Taegis ManagedXDR is most commonly compared to CrowdStrike Falcon Complete: Secureworks Taegis ManagedXDR vs CrowdStrike Falcon . 2019-06-03 22:19:04, Info CSI 0000212a [SR] Verify complete 2019-06-03 22:17:40, Info CSI 00001c92 [SR] Verify complete OP didn't seem that technical. Operating Systems: 1 A SHA-2 patch is required for Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2. 2019-06-03 22:21:06, Info CSI 00002894 [SR] Verifying 100 components 2019-06-03 22:10:21, Info CSI 0000047b [SR] Verifying 100 components 2019-06-03 22:19:50, Info CSI 0000247a [SR] Beginning Verify and Repair transaction We have been really unhappy with their responses and in general any guidance on security responses for our servers and network. Secureworks Taegis ManagedXDR Overview. 2019-06-03 22:24:44, Info CSI 000037bf [SR] Beginning Verify and Repair transaction That is much better than before! Nothing changes in its behavior except more information in log files, and faster file growth is expected because of this. Any ideas? Then locate to processes. 2019-06-03 22:15:07, Info CSI 00001344 [SR] Verifying 100 components 2019-06-03 22:09:41, Info CSI 000001a3 [SR] Beginning Verify and Repair transaction In the MSConfig Startup, click on, Select the restore point you created earlier and click. 2019-06-03 22:10:39, Info CSI 0000061b [SR] Verifying 100 components 2019-06-03 22:21:06, Info CSI 00002893 [SR] Verify complete 2019-06-03 22:26:31, Info CSI 00003f31 [SR] Verifying 100 components The Secureworks Red Cloak Endpoint Agent collects a rich set of endpoint telemetry that is analyzed to identify threats and their associated behaviors in your environment. 2019-06-03 22:11:57, Info CSI 000009bd [SR] Verifying 100 components 2019-06-03 22:23:16, Info CSI 0000311d [SR] Verify complete Dad, CISSP/CISM/CISA, accused SME, wannabe foodie, wine, hockey, golf, music, travels. Secure Works immediately acknowledged the bug and agreed to a 90-day target fix, and requested a delay in publication until customers could update. The problem was temporarily (a day or two) fixed by the reinstall. In August of 2019, after going some time without any alerts from Red Cloak, we wanted to double check that it was actually doing anything. I do agree with the Secure Works stance that because local access is required, the potential for exploit is low. To contact support, reference Dell Data Security International Support Phone Numbers.Go to TechDirect to generate a technical support request online.For additional insights and resources, join the Dell Security Community Forum. 2019-06-03 22:13:17, Info CSI 00000db5 [SR] Beginning Verify and Repair transaction 2019-06-03 22:12:59, Info CSI 00000cdd [SR] Beginning Verify and Repair transaction Follow the on-screen instructions to restore your computer to before the settings were modified for the Clean Boot. Wouldthis give a different result than enabling them? 2019-06-03 22:21:23, Info CSI 00002971 [SR] Verifying 100 components 2019-06-03 22:24:50, Info CSI 00003826 [SR] Beginning Verify and Repair transaction The file will not be moved. 2019-06-03 22:18:19, Info CSI 00001e8f [SR] Verifying 100 components If your topic is closed and you still need assistance, send me or any Moderator a Private Message with a link to your topic. With more accurate detections and better context, false alerts are reduced, and customers can focus on the events that matter. Sorry for the slower responses, as this is my Mom's machine. 2019-06-03 22:16:45, Info CSI 00001978 [SR] Beginning Verify and Repair transaction 2019-06-03 22:21:30, Info CSI 000029e3 [SR] Beginning Verify and Repair transaction I've run a Malwarebytes scan and a full virus scan with Microsoft Security Essentials: nothing found. 2019-06-03 22:20:35, Info CSI 000026dc [SR] Verify complete 2019-06-03 22:25:09, Info CSI 00003974 [SR] Beginning Verify and Repair transaction 2019-06-03 22:27:26, Info CSI 000042a3 [SR] Verify complete 2019-06-03 22:21:42, Info CSI 00002ab9 [SR] Beginning Verify and Repair transaction After reboot, the initial 100% quickly cooled down after one minute. Not clear what a clean boot would do, since this is not a matter of a program not running or not being able to install a program. Fix result of Farbar Recovery Scan Tool (x64) Version: 01-06-2019. NOTE: The 100% disk usage came back after 2 minutes but died back to 0% again. press@secureworks.com 2019-06-03 22:09:22, Info CSI 00000007 [SR] Beginning Verify and Repair transaction Current CPU and memory configuration: If you have any feedback regarding its quality, please let us know using the form at the bottom of this page. Any interaction we have with a human there has been terrible. 2019-06-03 22:22:52, Info CSI 00002f18 [SR] Beginning Verify and Repair transaction Check the items to isolate and troubleshoot the issue of high CPU usage on a Deep Security Agent machine. We currently have secureworks for part of our IDS/IPS response, use red cloak on our servers and have iSensors inbetween our firewalls and internal network. As a reminder, I did a cleanWin7 reinstallation last Friday and have only installed Java, Adobe reader, Adobe Flash, Malwarebytes, Dropbox, Office 2010, Netgear Genie, Chrome, and Microsoft Security Essentials. Then push on CPU usage to bring processes to descending to see which apps/processes using the most. 2019-06-03 22:25:03, Info CSI 00003909 [SR] Verify complete 2019-06-03 22:12:20, Info CSI 00000b09 [SR] Beginning Verify and Repair transaction ), (If an entry is included in the fixlist, it will be removed from the registry. : Media disconnected. 2019-06-03 22:12:39, Info CSI 00000bee [SR] Verify complete 2019-06-03 22:22:47, Info CSI 00002eae [SR] Verify complete This may take some time. Select whether you would like to send anonymous data to ESET. 2019-05-31 08:59:22, Info CSI 00000007 [SR] Beginning Verify and Repair transaction 2019-06-03 22:23:30, Info CSI 00003256 [SR] Verify complete 2019-06-03 22:11:32, Info CSI 00000820 [SR] Verifying 100 components 2019-06-03 22:15:28, Info CSI 00001488 [SR] Beginning Verify and Repair transaction 2019-06-03 22:25:17, Info CSI 000039df [SR] Verifying 100 components Media State . FirewallRules: [{95F772B1-0AB0-4172-9672-0D8D31ABD905}] => (Allow) C:\Program Files\CCleaner\CCUpdate.exe (Piriform Software Ltd -> Piriform Software Ltd), ==================== Restore Points =========================, ==================== Faulty Device Manager Devices =============, Application Path: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe, Report Id: 009dcebb-d3f7-48fd-a8e8-5fe7f30f0294, Faulting package full name: Microsoft.LockApp_10.0.17763.1_neutral__cw5n1h2txyewy, Faulting package-relative application ID: WindowsDefaultLockScreen, Error: (03/20/2019 08:49:37 AM) (Source: Application Hang) (EventID: 1002) (User: ), Report Id: 9c70a34f-dbb3-42d3-ad67-42ab800351df, Error: (02/27/2019 12:19:59 PM) (Source: Application Hang) (EventID: 1002) (User: ), Report Id: 1da64374-4712-4099-8c90-17633e62d96d, Error: (12/28/2018 08:09:10 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY), Error: (04/02/2019 11:58:10 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY), Error: (04/02/2019 11:56:38 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY), Error: (04/02/2019 11:56:37 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY), Error: (03/20/2019 05:42:52 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY), Error: (03/20/2019 05:41:02 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY), ==================== Memory info ===========================, ==================== Drives ================================, Drive c: () (Fixed) (Total:930.07 GB) (Free:893.03 GB) NTFS, \\?\Volume{c0eb0321-e386-4eb6-af69-4d63c700a79d}\ (WINRETOOLS) (Fixed) (Total:0.83 GB) (Free:0.44 GB) NTFS, ==================== MBR & Partition Table ==================, ========================================================, ==================== End of Addition.txt ============================, Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dotomi.com, ***** [ Chromium (and derivatives) ] *****, ***** [ Firefox (and derivatives) ] *****, AdwCleaner[S00].txt - [3024 octets] - [30/05/2019 22:53:46], ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########. We ran UMA traffic with 10000 users at about 400 requests/second for around 10 hours.