Jamf Nation Community

tk · ‎11-17-2022

We're using Jamf Now with Jamf Protect enabled and periodically seeing CPU spikes (with the process hanging and eating up resources indefinitely) caused by the com.jamf.protect.security-extenstion. This is actually causing the OS to get unresponsive and overheat, eating up all available CPU. The simple solution is to kill the process, but eventually the problem comes back.

Some basic debug information from the pid on a machine from when the problem occurred:

sudo dtruss -p 337
dtrace: system integrity protection is on, some features will not be available

SYSCALL(args) 		 = return
sigreturn(0x700008F16550, 0x1E, 0x1F99DBCB69B66C71)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x2EECB3AAFCC39E5E)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x5ECF2791121B465B)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xDCFC18327AB19367)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x131DCCD7A886722F)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xA6420414AE3C2D83)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x774160C6BC097B03)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x9CF5D78ADB397C7C)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0xC695A61C98B23746)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x2E174C7243C6C3C)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x8475397DD123F821)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xB86A855D5C6D5582)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x33D38C31FCA52252)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x837887A519FD4360)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x57F08AB2F4CE5C4C)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x1452E243428B300B)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x512AD858951CCC8)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0xCB123E6E890BB73)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xA74E8C22E5DAB37D)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0xE1337532B76B5F4)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xF3D49E3526C825B5)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x9B382C79A3AF143C)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0xE3478EE01738A3FB)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x3E9B48F4D3586447)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0xE6B16B5E42609B19)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x694937F7D31E87DB)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xEC47F2F19874D6A3)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0xF0EF461A890F4794)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x1AD3BBBA94BF6683)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xE59DCD0E9A8C787B)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0xBC7110328B3402B7)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xB0D724F06D5A9148)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x2F59C457FDE2291F)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xCB4DF9599A7246A7)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0xD7413C2FCF9AED4F)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xBAF1DA1780A03DD)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x3097FF42B964EBFB)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x7401D005F7749F02)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x3E46AF12BE3ACC53)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x27D8CDC1C73788B1)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x4A74F06CB1103776)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x64D67AB482C2EB9E)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x9314F366DD84EC76)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x7E08A312D1A28009)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xB813024A3C5BDB1A)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x1B1F8EBC893B4B0D)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x5A978B423CC387E7)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0xEBADEF2959CFF180)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x5C3FAA00D61FB987)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x15CE2C94340BEA3D)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xC98EA9F9E8C84028)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x2010E19527E30C37)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xC6E313CF4AB76641)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x8785416CD1E73DD8)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xEF942E90885B70AC)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0xC0841954B7EACEB9)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x32E5D4C3597F97A9)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x3A39DA7639F1D250)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x1D5A71745EBD3E41)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x961C032FCF13926D)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x15B6281324252B5E)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0xD2887F5320CB2577)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x90A9473C0A0D6D54)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x901A97CA0EDD0FC8)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xAB2B5CC4850C8064)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x90F4F40655AE2218)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x78B563E2556A909F)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x2AFC246BCC17EC72)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x6AEDB40B20473B94)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x2D4E8E78AF86ABE5)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x71265E2E561FE22)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x505CDD59A51F9DBE)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xD57DAEE899531CB3)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x64D7000B1A3DE68B)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x45A55A7C80C360FE)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0xE9867906907587C3)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x65CDD0610F2595A8)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0xE20D2E98FDB18D65)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x3BF047FFF91D0D41)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x925FDE3A4E3B0D69)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xC62ADDD766062425)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x640DC2D247C9E970)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x1530C30DAC96B81)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x76764F51FA9E3348)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0xF13700255B850A65)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x4A36C8B169315FA3)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x463519A381052379)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x8F919933BE986993)		 = 0 -2
sigreturn(0x70000909F568, 0x1E, 0x162C92B5694B0805)		 = 0 -2
sigreturn(0x700008F16550, 0x1E, 0x17C641DD12F93664)		 = 0 -2
dtrace: 238154 dynamic variable drops with non-empty dirty list

> sudo lsof -p 337
Password:
COMMAND   PID USER   FD      TYPE             DEVICE SIZE/OFF                NODE NAME
com.jamf. 337 root  cwd       DIR                1,4      640                   2 /
com.jamf. 337 root  txt       REG                1,4 12433296            28362867 /Library/SystemExtensions/1276F63E-603C-4E34-B5CD-2FA3DE9F5D01/com.jamf.protect.security-extension.systemextension/Contents/MacOS/com.jamf.protect.security-extension
com.jamf. 337 root  txt       REG                1,4    46944            30534913 /Library/Preferences/Logging/.plist-cache.T66NLeyt
com.jamf. 337 root  txt       REG                1,4    32768             7146411 /private/var/root/Library/HTTPStorages/com.jamf.protect.security-extension/httpstorages.sqlite-shm
com.jamf. 337 root  txt       REG                1,4    56384            29063318 /private/var/db/nsurlstoraged/dafsaData.bin
com.jamf. 337 root  txt       REG                1,4   443920 1152921500312329445 /System/Library/Frameworks/Security.framework/Versions/A/PlugIns/csparser.bundle/Contents/MacOS/csparser
com.jamf. 337 root  txt       REG                1,4   234080            28717902 /private/var/db/timezone/tz/2022f.1.0/icutz/icutz44l.dat
com.jamf. 337 root  txt       REG                1,4   120549            30535436 /private/var/db/analyticsd/events.allowlist
com.jamf. 337 root  txt       REG                1,4    32768            30534938 /private/var/db/mds/messages/se_SecurityMessages
com.jamf. 337 root  txt       REG                1,4 14762160            28362877 /Library/SystemExtensions/1276F63E-603C-4E34-B5CD-2FA3DE9F5D01/com.jamf.protect.security-extension.systemextension/Contents/Frameworks/ObjectiveRocks.framework/Versions/A/ObjectiveRocks
com.jamf. 337 root  txt       REG                1,4 30399984 1152921500312794842 /usr/share/icu/icudt70l.dat
com.jamf. 337 root  txt       REG                1,4  2177216 1152921500312782999 /usr/lib/dyld
com.jamf. 337 root    0r      CHR                3,2      0t0                 317 /dev/null
com.jamf. 337 root    1u      CHR                3,2      0t0                 317 /dev/null
com.jamf. 337 root    2u      CHR                3,2      0t0                 317 /dev/null
com.jamf. 337 root    3      PIPE 0x72cc79a3fe975f22    65536
com.jamf. 337 root    4w      REG                1,4    15802            30535355 /Library/Application Support/JamfProtect/db/LOG
com.jamf. 337 root    5r      DIR                1,4      608             7146258 /Library/Application Support/JamfProtect/db
com.jamf. 337 root    6      PIPE 0x71a00588162061ef    16384
com.jamf. 337 root    7u      REG                1,4        0             7146338 /Library/Application Support/JamfProtect/db/LOCK
com.jamf. 337 root    8w      REG                1,4       62            30535356 /Library/Application Support/JamfProtect/db/MANIFEST-000611
com.jamf. 337 root    9w      REG                1,4        0            30535358 /Library/Application Support/JamfProtect/db/000612.log
com.jamf. 337 root   10u      REG                1,4     4096             7146407 /private/var/root/Library/HTTPStorages/com.jamf.protect.security-extension/httpstorages.sqlite
com.jamf. 337 root   11u      REG                1,4   852872             7146410 /private/var/root/Library/HTTPStorages/com.jamf.protect.security-extension/httpstorages.sqlite-wal
com.jamf. 337 root   12u      REG                1,4    32768             7146411 /private/var/root/Library/HTTPStorages/com.jamf.protect.security-extension/httpstorages.sqlite-shm
com.jamf. 337 root   13   NPOLICY
com.jamf. 337 root   14u     unix 0xa9584682f9389fdf      0t0                     ->0xa9584682f9387a5f
com.jamf. 337 root   15u    systm 0xa958467e2dac6897      0t0                     [ctl com.apple.netsrc id 6 unit 3]
com.jamf. 337 root   16      CHAN             flowsw                              60EA3EE6-3AE3-4378-A931-5372928353F0[2] user-packet-pool

MattT · ‎11-18-2022

Hey @tk , just on the chance you haven't already done so please be sure to touch base with Jamf Support through the usual avenues to ensure they're able to investigate and work with you to resolve this. Definitely not the experience we expect nor want to see!

AJPinto · ‎11-21-2022

I agree with @MattT , this is something I would open a ticket about. If there is a product issue, this is not where it will be noticed.

yourmindrewind · ‎11-23-2022

Hey @tk Did you get this resolved? We've experienced the same issue on select machines.

MattT · ‎11-23-2022

As a follow up to this, there are certain circumstances or use-cases where high velocity, expected activity can be ignored from detection workflows to ensure only the necessary analysis is taking place. The Exceptions feature can be used to effectively achieve this for those users and use-cases where it makes sense, such as a software developer compiling code in a very specific directory with a very specific application. Documentation can be found here.

In either case, discussing this with the Jamf Tech Support team is still recommended to ensure we're either finding and squashing any potential issues or helping implement Exceptions successfully.

yourmindrewind · ‎11-23-2022

@MattT Thanks for taking the time to reply :-) I've also raised a case. I presume Exceptions can only be added in the full version of Jamf Protect not the version that is enabled via Jamf Now

MattT · ‎11-23-2022

More than happy to @yourmindrewind ! That's why we're here :) You're correct, the Exceptions feature can only be leveraged with the full version of Jamf Protect. As such, definitely recommend continuing to work with the Jamf Tech Support team to investigate further 👍

chrissnyder · ‎11-28-2022

I've experienced this issue many times. I have to kill the com.jamf.protect.security-extension several times a week to keep my laptop from turning into a hot plate.

yourmindrewind · ‎11-28-2022

@chrissnyderWe are still experiencing the issue as well. Seems to be affecting more and more of ours machines.

jbutler47 · ‎07-14-2023

As a follow-up, curious about what may have been put into place to exclude MS updates. Can anyone make/share a recommendation?

Thanks.

Jamf Nation Community

High CPU usage from com.jamf.protect.security-extenstion