2026-02-23 12:16:50.693591: [ds_am/4] | [PROCESS INFO] Hit capacity, bypass event (numOfProcessNodes: 20000) | process_info_table.cpp:83:NewProcess | 198702:198751:114049:: 2026-02-23 12:16:50.693596: [ds_am/4] | [PROCESS INFO] Hit capacity, bypass event (numOfProcessNodes: 20000) | process_info_table.cpp:83:NewProcess | 198702:198751:114050:: 2026-02-23 12:16:50.693599: [ds_am/4] | [PROCESS INFO] Hit capacity, bypass event (numOfProcessNodes: 20000) | process_info_table.cpp:83:NewProcess | 198702:198751:114051:: 2026-02-23 12:16:50.693601: [ds_am/4] | [PROCESS INFO] Hit capacity, bypass event (numOfProcessNodes: 20000) | process_info_table.cpp:83:NewProcess | 198702:198751:114052:: 2026-02-23 12:16:50.693604: [ds_am/4] | [PROCESS INFO] Hit capacity, bypass event (numOfProcessNodes: 20000) | process_info_table.cpp:83:NewProcess | 198702:198751:114053::

[6696106.088270] RIP: 0010:ScalarBaseEntryAddValue+0xa/0x20 [bmhook] [6696106.088382] Code: 48 89 ef e8 f8 ad b1 f3 48 89 c3 48 85 c0 75 c7 5b 5d e9 94 be e1 f3 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 85 ff 74 06 <83> 7f 20 01 74 05 e9 76 be e1 f3 e9 96 fc ff ff 66 0f 1f 44 00 00 [6696106.088591] RSP: 0018:ffffb19ab0293c38 EFLAGS: 00010286 [6696106.088699] RAX: ffff96d4cf4bef40 RBX: 0000000000000000 RCX: 0000000000000000 [6696106.088827] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffb19a8780d000 [6696106.088939] RBP: ffffb19ab0293d70 R08: 0000000000000001 R09: 0000000000000001 [6696106.089051] R10: ffff96d7c9129000 R11: 0000000000000000 R12: 0000000000199ccd [6696106.089163] R13: 0000000000000000 R14: 0000000000000010 R15: 0000000000000000 [6696106.089278] FS: 00007ff0bb5d0840(0000) GS:ffff96e3bfc00000(0000) knlGS:0000000000000000 [6696106.089393] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [6696106.089508] CR2: ffffb19a8780d020 CR3: 000000093d938005 CR4: 0000000000370ef0 [6696106.089629] Call Trace: [6696106.089763] ? __die_body+0x1a/0x60 [6696106.089883] ? no_context+0x1ba/0x3f0 [6696106.090005] ? __bad_area_nosemaphore+0x157/0x180 [6696106.090127] ? do_page_fault+0x37/0x12d [6696106.090247] ? page_fault+0x1e/0x30 [6696106.090371] ? ScalarBaseEntryAddValue+0xa/0x20 [bmhook] [6696106.090503] bmhook_telemetry_scalar_add_value+0x24/0x40 [bmhook] [6696106.090636] tmbpf_telemetry_scalar_add_value+0xa/0x20 [bmhook] [6696106.090795] ? bmhook_prehook_handler+0x243/0x2e0 [bmhook] [6696106.090929] ? task_work_add+0xc8/0xe0 [6696106.091053] ? srso_alias_return_thunk+0x5/0xfcdfd [6696106.091180] ? tmhook_invoke_prehooks+0x41/0xb0 [tmhook] [6696106.091310] ? tmhook_handler+0x18b/0x210 [tmhook]

Resolving Out-of-Memory (OOM) Restarts in TrendAI™ Deep Security™ Agent

Product / Version includes:

Deep Security All

Last updated: 2026/03/03

Solution ID: KA-0022603

Category: Configure , Update

Summary

Deep Security agents may experience unexpected restarts and system instability on high-load servers due to a combination of internal process tracking limits and memory addressing errors.

Findings

Process Table Capacity

The Deep Security Agent maintains an internal process information table with a capacity of 20,000 process entries.

Log entries indicate a large number of processes were created on the server leading to process info table full capacity which can also causes an OOM.

From ds.am.log:

2026-02-23 12:16:50.693591: [ds_am/4] | [PROCESS INFO] Hit capacity, bypass event (numOfProcessNodes: 20000) | process_info_table.cpp:83:NewProcess | 198702:198751:114049:: 
2026-02-23 12:16:50.693596: [ds_am/4] | [PROCESS INFO] Hit capacity, bypass event (numOfProcessNodes: 20000) | process_info_table.cpp:83:NewProcess | 198702:198751:114050:: 
2026-02-23 12:16:50.693599: [ds_am/4] | [PROCESS INFO] Hit capacity, bypass event (numOfProcessNodes: 20000) | process_info_table.cpp:83:NewProcess | 198702:198751:114051:: 
2026-02-23 12:16:50.693601: [ds_am/4] | [PROCESS INFO] Hit capacity, bypass event (numOfProcessNodes: 20000) | process_info_table.cpp:83:NewProcess | 198702:198751:114052:: 
2026-02-23 12:16:50.693604: [ds_am/4] | [PROCESS INFO] Hit capacity, bypass event (numOfProcessNodes: 20000) | process_info_table.cpp:83:NewProcess | 198702:198751:114053::

ds_am.log indicating an Agent restart due to an OOM condition.

2026-02-23 12:16:53.615647: [ds_am-M/2] | [DAEMON] Child process exited with status 0 | main.cpp:823:do_daemon | 1005:1005:31887::log 
2026-02-23 12:16:53.615696: [ds_am-M/2] | [DAEMON] Restart child process due to OOM detected | main.cpp:831:do_daemon | 1005:1005:31888::log 
2026-02-23 12:16:53.615715: [ds_am-M/2] | [DAEMON] do restart trashing control 6382. | main.cpp:767:do_daemon | 1005:1005:31889::log 
2026-02-23 12:16:53.639742: [ds_am-M/2] | [DAEMON] Delaying 64000ms before restart 7 | main.cpp:788:do_daemon | 1005:1005:31890::log 
2026-02-23 12:17:57.639487: [ds_am-M/2] | [DAEMON] Monitor process 1005:1:1005 is_running:1 | main.cpp:815:do_daemon | 1005:1005:31891::log 
2026-02-23 12:17:57.639537: [ds_am-M/2] | [DAEMON] fork child process 1993C5:1005:1005 is_running:1 | main.cpp:810:do_daemon | 1993C5:1993C5:31891::log

An enhancement has been made in process info table storage method to prevent it from becoming full. This has been released via version 20.0.2-22850.

Page Fault

When the Agent restarted to recover from the out of memory condition, this also closed BM hooking and at this moment bmhook caused a page fault by accessing an invalid memory address in ScalarBaseEntryAddValue, leading to a kernel panic.

[6696106.088270] RIP: 0010:ScalarBaseEntryAddValue+0xa/0x20 [bmhook] 
[6696106.088382] Code: 48 89 ef e8 f8 ad b1 f3 48 89 c3 48 85 c0 75 c7 5b 5d e9 94 be e1 f3 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 85 ff 74 06 <83> 7f 20 01 74 05 e9 76 be e1 f3 e9 96 fc ff ff 66 0f 1f 44 00 00 
[6696106.088591] RSP: 0018:ffffb19ab0293c38 EFLAGS: 00010286 
[6696106.088699] RAX: ffff96d4cf4bef40 RBX: 0000000000000000 RCX: 0000000000000000 
[6696106.088827] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffb19a8780d000 
[6696106.088939] RBP: ffffb19ab0293d70 R08: 0000000000000001 R09: 0000000000000001 
[6696106.089051] R10: ffff96d7c9129000 R11: 0000000000000000 R12: 0000000000199ccd 
[6696106.089163] R13: 0000000000000000 R14: 0000000000000010 R15: 0000000000000000 
[6696106.089278] FS:  00007ff0bb5d0840(0000) GS:ffff96e3bfc00000(0000) knlGS:0000000000000000 
[6696106.089393] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 
[6696106.089508] CR2: ffffb19a8780d020 CR3: 000000093d938005 CR4: 0000000000370ef0 
[6696106.089629] Call Trace: 
[6696106.089763]  ? __die_body+0x1a/0x60 
[6696106.089883]  ? no_context+0x1ba/0x3f0 
[6696106.090005]  ? __bad_area_nosemaphore+0x157/0x180 
[6696106.090127]  ? do_page_fault+0x37/0x12d 
[6696106.090247]  ? page_fault+0x1e/0x30 
[6696106.090371]  ? ScalarBaseEntryAddValue+0xa/0x20 [bmhook] 
[6696106.090503]  bmhook_telemetry_scalar_add_value+0x24/0x40 [bmhook] 
[6696106.090636]  tmbpf_telemetry_scalar_add_value+0xa/0x20 [bmhook] 
[6696106.090795]  ? bmhook_prehook_handler+0x243/0x2e0 [bmhook] 
[6696106.090929]  ? task_work_add+0xc8/0xe0 
[6696106.091053]  ? srso_alias_return_thunk+0x5/0xfcdfd 
[6696106.091180]  ? tmhook_invoke_prehooks+0x41/0xb0 [tmhook] 
[6696106.091310]  ? tmhook_handler+0x18b/0x210 [tmhook]

This has been addressed in versions 20.0.2-29760, 20.0.2-29810, and later by using a lock to protect the BM hook from accessing an invalid address.

Solution

Both issues stated above have been addressed on DSA December builds (20.0.2-29760 & 20.0.2-29810) and later.

To resolve this issue, upgrade to the latest Deep Security Agent.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Resolving Out-of-Memory (OOM) Restarts in TrendAI™ Deep Security™ Agent

Findings

Solution

Resolving Out-of-Memory (OOM) Restarts in TrendAI™ Deep Security™ Agent

Product / Version includes:

Summary

Findings

Solution