So, I ran Process Explorer on the server and took a look at the threads for the System process. Here’s what I saw:

TmXPFlt.sys threads in the System process using excessive CPU

It turns out TmXPFlt.sys is part of Trend Micro Office Scan’s virus scan engine. I tried unloading Office Scan but it made no difference. In the end I had to restart the server.

We install anti-virus to protect our servers, not to take them down.

It’s just not good enough!

In Sysinternals’ Process Explorer you see that most of your paged memory is in use:

If you unload Trend OfficeScan most of your Kernel’s paged memory is freed:

Basically, it seems that OfficeScan is trying to load its entire pattern file in memory. Unfortunately this file is around 100MB, which doesn’t leave much of the default 160MB page pool for the rest of the system. This problem has been around since at least the end of October when this version of the engine was released. Trend Micro have known about it since at least the middle of December. They have published a work around (see Trend Micro’s Solution ID on the problem) that increases the size of the pool. However, this only delays the onset of the problem.

More information can be found in this thread at the SysInternals forums.

It’s now almost the middle of February and Trend Micro still haven’t released an update fixing this problem. When are they going to fix it? Personally, I think anti-virus can at times be as bad as the viruses.

It’s just not good enough!