DLP Agent Consumes High CPU Due to Microsoft Management Console Connection
search cancel

DLP Agent Consumes High CPU Due to Microsoft Management Console Connection

book

Article ID: 184510

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover

Issue/Introduction

You notice that the DLP agent has high CPU usage when running remote connections using Microsoft Management Console.

Detection Request Details :

    Session Command : Session Continue Request

    Session Id : {00ECAD59-6DBC-4E45-9B95-65405A4BE96A}

    Request Type : Data In Motion Request

Dim Detection Request Details : 

    Process Id : 5280

    Process Path : \Device\HarddiskVolume1\Program Files (x86)Javajre1.8.0_191binjp2launcher.exe

    Application Name : Java(TM) Web Launcher

    User : user

    Domain : DOMAIN

    Time Stamp : 02/05/2019 19:08:16

    Dim Event Type : HTTP(S)

HTTP(S) Details : 

    URL : http://<hostname>:27888/forms/lservlet;jsessionid=QRW9g8s5Xcbk-l_iI5Jk9ABORl9q4BPRb3QGWmBvNy7cR73qFNjl!-502209814

Network Info Details : 

    Source IP : 10.xx.xx.xx

    Source Port : 62633

    Source Domain : 

    Destination IP : 10.xx.xx.xx

    Destination Port : 27888

    Destination Host Name : hostname:27888

Cause

In the DLP agent log file you will notice an application jp2launcher.exe.  When the DLP agent is running it will begin to consume several gigs of memory and this is due to the rt.jar or java runtime (or bootstrap classes – everything java needs for web communications.  And, this contains 36,000 files inside it.  And, jp launcher + rt.jar are not http events).

 

And, that to exclude jar files you must exclude .zip files.  Because, the DLP agent will inspect and analyze both .jar and .zip files as if they were the same.

Resolution

A recommended solution is to ignore *.jar on the agent configuration channel Filters settings, but only with a destination of application file access. Also, you must add to this the destination hostname referenced in the agent log entry where you see jp2launcher.exe to the http filter inside the Filter by Network Properties.