We have instrumented a .Net 4.0 application, running in IIS8.0 on Windows 2012 with an AppDynamics APM agent (v4.5.2).
This server also has McAfee Endpoint Protection installed, v10.6.0.542, with Threat Prevention v10.6.0.672.
With the APM agent installed, CPU is much higher under typical load (~50-60% with agent vs 10% without, across 2 vCPUs). Under heavy load, the application also starts becoming unstable (requests start queuing and timing out, response times become very high, errors begin occurring).
We have noticed that with McAfee enabled, it injects two DLLs into the w3wp process - EpMPApi.dll and EpMPThe.dll. We checked this using Process Explorer, looking at loaded DLLs for the process.
We ran various combinations of performance test:
- Multiple different versions of the APM agent (no difference)
- Different configurations of the agent. We found that be excluding the System library (System.dll), CPU was much lower and performance was acceptable, but response times were still higher than without the agent.
- With McAfee fully disabled, the DLLs were not present, and CPU/performance was similar to previous tests without the agent - the overhead was within expectation/acceptable range.
We attempted to add w3wp.exe as an exception in McAfee, however we saw that the DLLs were still loaded, and the high CPU and poor performance still occurred.
In memory dumps, we consistently saw the application threads waiting on critical sections used by EpMPApi.dll. It seemed to be related to the application attempting to make socket connections (which it does frequently as all requests involves WCF calls to a downstream system).
We would like to understand if/how we can configure McAfee to either exclude w3wp.exe fully, or perhaps stop whatever activity it is doing that the APM agent seems to interact badly with.
We are also working on the APM agent side to understand if we can do anything there to prevent or work around the behaviour.
Thanks!
