What is causing my Proxy AV CPU Utilization to reach 100%?

book

Article ID: 167271

calendar_today

Updated On:

Products

ProxyAV Software - AVOS ProxySG Software - SGOS Advanced File Inspection

Issue/Introduction

During normal operation, the ProxyAV CPU spikes to 100% utilization

Proxy AV's AlertLogFile.log  show scanned of Microsoft patches downloading from Windows Windows Update, SWF flash files, or others applications updates.

Resolution

1. The Proxy AV Appliance can take a very long time to scan Windows Update files.  As such, we recommend not to scan this information through the Proxy AV Appliance.

The Proxy SG Appliance will not forward Windows update traffic to Proxy AV with following CPL.:

 define condition WindowsUpdate
  url.domain=update.microsoft.com
  url.domain=windowsupdate.microsoft.com
  url.domain=download.windowsupdate.com
  url.domain=download.microsoft.com
end


condition=WindowsUpdate response.icap_service(no)

 

2. Install and configure The Proxy AV best practice policy to achieve maximum performance 
 
- To achieve the best performance on the ProxyAV, enable Heuristics (ProxyAV Management Console > Antivirus > Scanning Behaviour)
- On the ProxySG, configure policy to skip MIME content types: image, audio, application, x-director video, and PDF multipart with the following best practice CPL policy installed in the local policy file, (not in a VPM CPL layer):

; -------------ICAP Best Practices----------------------------------------------
;;; The actual ICAP respmod rule should already be defined, these actions will
;;; reset it back to (no) upon an attempt to scan a streaming object or an object
;;; that shouldn't be scanned


delete_on_abandonment(yes)


url.scheme=http condition=NOICAP response.icap_service(no)


request.header.User-Agent="ProxyAV" patience_page(no)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; This condition will match if the content length is greater than
;; 99,999,999 bytes, or no content length is provided. Both of
;; these are signs that this may tie up a thread on the AV for too long.
define condition NO_or_LARGE_CONTENT_LENGTH
response.header.Content-Length=!""
response.header.Content-Length=!"^[0-9]{1,8}$"
end condition NO_or_LARGE_CONTENT_LENGTH

;; Here are some common infinite stream media types, these will
;; also block some threads on the AV.

define condition MEDIA_MIME_TYPES
response.header.Content-Type="video/"
response.header.Content-Type="application/streamingmedia"
response.header.Content-Type="application/x-streamingmedia"
response.header.Content-Type="application/vnd.rn"
response.header.Content-Type="application/ogg"
response.header.Content-Type="application/x-ogg"
response.header.Content-Type="audio/"
response.header.Content-Type="multipart/x-mixed-replace"
end condition MEDIA_MIME_TYPES

;; None of these exist right now
define condition Misbehaving_Modern_UserAgents
; Add modern user-agents known to misbehave to this condition
; and remove the comment character (semicolon) before Rule 3 above.
; request.header.User-Agent=""
end condition Misbehaving_Modern_UserAgents

define condition VIDEO_AUDIO_with_NO_or_LARGE_CONTENT_LENGTH
condition=NO_or_LARGE_CONTENT_LENGTH condition=MEDIA_MIME_TYPES
end condition VIDEO_AUDIO_with_NO_or_LARGE_CONTENT_LENGTH

define condition UserAgents_with_NO_or_LARGE_CONTENT_LENGTH
condition=NO_or_LARGE_CONTENT_LENGTH
condition=Misbehaving_Modern_UserAgents
end condition UserAgents_with_NO_or_LARGE_CONTENT_LENGTH

define condition Misbehaving_Old_UserAgents
request.header.User-Agent="Winamp"
request.header.User-Agent="NSPlayer"
request.header.User-Agent="RMA"
request.header.User-Agent="ultravox"
request.header.User-Agent="itunes"
request.header.User-Agent="forest"
request.header.User-Agent="Scottrader"
request.header.User-Agent="SVN"
end condition Misbehaving_Old_UserAgents

define condition HTTPv0.9_UserAgents
http.response.version=0.9 condition=Misbehaving_Old_UserAgents
end condition HTTPv0.9_UserAgents

define condition NOICAP
condition=VIDEO_AUDIO_with_NO_or_LARGE_CONTENT_LENGTH
condition=HTTPv0.9_UserAgents
condition=UserAgents_with_NO_or_LARGE_CONTENT_LENGTH

; Yahoos stock ticker problem -15sep06
url.domain=//streamerapi.finance.yahoo.com
url.domain=//stream.aol.com
url.domain=//finance.google.com

; Other streaming media exceptions
url.domain=//youtube.com
url.domain=//pandora.com
end condition NOICAP

; -------------End ICAP Best Practices------------------------- 

The most up to date ProxyAV best practices policy can be found here, in section 9 Configuration Best Practices.