DLP Agent Consumes High CPU Due to Microsoft Management Console Connection
Article ID: 184618
Updated On:
Products
Issue/Introduction
You notice that the DLP agent consumes high cpu when running remote connections using Microsoft Management Console.
| INFO
| CoreServices.MessageLogger
| MESSAGETYPE_DETECTION_REQUEST {90C4C6F0-7CA5-44AA-8DF0-95E2
Request Id #297613
Detection Request Details :
Session Command : Session Continue Request
Session Id : {00ECAD59-6DBC-4E45-9B95-65405
Request Type : Data In Motion Request
Dim Detection Request Details :
Process Id : 5280
Process Path : \Device\HarddiskVolume1\Progra
Application Name : Java(TM) Web Launcher
User : gbd16bot
Domain : AD2
Time Stamp : 02/05/2019 19:08:16
Dim Event Type : HTTP(S)
HTTP(S) Details :
Network Info Details :
Source IP : 10.xx.xx.xx
Source Port : 62633
Source Domain :
Destination IP : 10..xx.xx.xx
Destination Port : 27888
Destination Host Name : hostname:27888
Cause
In the DLP agent log file you will notice references to an application known as jp2launcher.exe. When the DLP agent is running it will begin to consume several gigs of memory and this is due to the rt.jar or java runtime (or bootstrap classes which is everything java needs for web communications). The java run time (bootstrap classes) contains over 36,000 files inside it. And, it just so happens that jp launcher + rt.jar are not http events and cannot be normally excluded by the agent.
In order to exclude jar files you must exclude .zip files. Because, the DLP agent will inspect and analyze both .jar and .zip files as if they were the same.
Resolution
A recommended solution is to go ahead and ignore *.jar on the agent confiiguration channel Filters settings, but only with a destination of application file access. Also, you must add to this the destination hostname referenced in the agent log entry where you see jp2launcher.exe to the http filter inside the Filter by Network Properties.
Feedback
