SCSP High Memory Usage by IDS and Possible Missing IDS Events

book

Article ID: 157234

calendar_today

Updated On:

Products

Critical System Protection

Issue/Introduction

The UNIX and Linux SCSP agents, prior to the 5.2.9 MP1 release, may experience the followoing issues:

  • High memory usage by IDS file watch due to unnecessarily monitoring files not matching a policy.
  • Possible missing IDS file watch events (false negative)

Cause

Conditions for high memory usage to occur (All conditions below must exist)

  • A File Watch rule containing a wildcard in select string for file name such as “/var/www/*.html” where the wildcard and a portion of file name are both present in the file watch select string. 
    NOTE: use of wildcard for the entire file name such as “/var/www/*”  would not cause high memory usage.
  • New files are frequently added to a monitored folder (e.g., “/var/www/” in the above example) after the IDS File Watch policy is applied.  

Conditions for missing IDS file watch events: (All conditions below must exist)

  • File Watch rule containing wildcard in select string in file name such as “/var/www/*.html” where the wildcard and portion of file name both are present in the file watch select string.   
  • File Watch rule has search depth (number of subdirectory levels to monitor) greater than 1.
  • More than one subdirectory in any directory below the directory being monitored, up to the search depth set.
    For example, for select string “/var/www/*.html”, presences of subdirectories “/var/www/sales” and “/var/www/marketing”.  If the search depth was set to 2, then if either sales/ or marketing/ had more than a single subdirectory, they would also be susceptible to the error.
     

 

Resolution

This issue is fixed in 5.2 RU9 MP1.    Please use the latest build of the SCSP agent to obtain this fix.

If upgrading to the latest build is not possible, submit a support ticket and a TSE will determine if a hotfix is available.

 

 


Applies To

Affected Operating systems: All UNIX and Linux
Affected Symantec Critical System Protection versions: All 5.2.x (5.2 RUx).

Attachments

SCSP_5_2_8_MP4_HF1_RHEL_6_1_x64.zip get_app
SCSP_5_2_8_MP4_HF1_RHEL_5x_x64.zip get_app
RHEL5_x86_5_2_8_MP4_HF1.zip get_app