u/its_justme27

Deployed phLinuxAgent (FortiSIEM 7.4.0) on a Debian-based box. The moment it started scanning, every CPU core pinned at 99%. strace revealed the cause: the agent follows symlinks with no inode tracking and no depth limit, so /bin/X11 -> . triggers infinite recursion.

The failure mode: the agent enters /bin, sees X11, enters it, finds itself back in /bin, sees X11 again — forever. Adding /bin/X11 to the monitoring profile exclusions did nothing because exclusions are evaluated post-traversal, not as a gate.