Cylance Protect Causes Increased Connections and Bandwidth Utilization on ProxySG

book

Article ID: 169179

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Cylance Protect continuously pulls information from Cylance's cloud-based servers, and it sends file fragments to Cyalnce for analysis.  This can increase CPU utilization, the number of connections, and bandwidth utilization on your ProxySG appliance.

Cylance Protect uses at least one persistent connection per client, in some cases two connections per client.

Cause

Cylance uses AWS cloud to deliver updates, so by default the destination IP addresses are dynamic and cannot be easily predicted in order to identify traffic going to Cylance Protect servers.

If requested, Cylance can provide your organization with static IP addresses for their update servers so clients can be allowed out to update to these destination IP addresses only. This is however not ideal and may pose a security risk.

 

Resolution

Disabling SSL interception and adding a 'do not cache' rule for the domains used by Cyclance Protect should minimize the impact of Cylance Protect traffic.  See the following links for policy details:
  • http://bluecoat.force.com/knowledgebase/articles/Solution/HowtodisableSSLinterceptionforsingleURL
  • http://bluecoat.force.com/knowledgebase/articles/Solution/WhattoexpectfromBlueCoatTriagewhenhavingProxySGissueswithaparticularwebsite