After upgrading the DLP Agent to 15.8 and later, some websites may experience performance issues
search cancel

After upgrading the DLP Agent to 15.8 and later, some websites may experience performance issues

book

Article ID: 241775

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

After upgrading the DLP Agent to 15.8 and later, some websites may experience performance issues in Firefox, Chrome, or Edge browser

This includes the following:

  1. Sites loading slower than expected.
  2. Fields or forms lagging while entering data.
  3. After submitting data to websites, they take longer to respond or load. (Like two factor authentication. aka 2FA)

Note: All of which worked as expected in 15.7 or earlier

Environment

Release: 15.8+, 16.x, (All supported versions)

Component: Windows Endpoint Agent

 

Cause

Additional file scanning while loading websites may occur due to enhancements to the HTTP/HTTPS Attachment scanning feature.

Resolution

Solution A: Use narrow monitoring for the Https channel (Recommended)

This issue is caused by browsers evolving and accessing different file types, which in turn causes DLP (Data Loss Prevention) to scan more file types, thus resulting in performance issues. By using narrow HTTPS monitoring filters, we can prevent DLP from needing to scan files that it normally wouldn't need to.
To achieve this, configure the agent filters as follows:

  • Select specific file types to be monitored by HTTPS (see filter 3).
  • Use a general ignore rule for all other HTTPS traffic after that (see filter 5).

 

Solution B: Ignore known problematic file types

While this solution can work, it is subject to stop working depending on OS and Browser updates.

For HTTPS only websites, we recommend adding the following filter to the agent configuration:

Action: Ignore

Channel: HTTP/HTTPS Attachment

Type:

*.dll
*.ttc
*.ttf
*.ini
*.tmp

 

This will ignore file types that are known to cause this issue. Save then apply the filter. Retest to verify resolution.

For HTTP based websites, update the following setting to 1 in the Agent Advanced Settings: NetworkMonitor.APPLY_PREFILTERS_ TO_FPR.int

Additional Information

Consider instead of using an ignore filter on known file types that cause issues, change to only monitoring known common file types for HTTPS. 

If issues persist then review the FINEST level agent logs for the following types of messages for other file types to add to the filter.

Example

Source: FileSystem.DetectionRequestAddTask
Message: The file <path to file>\<filename> was allowed to be copied or saved.

These messages are applicable when following a Chrome logging message such as:

Source: CoreServices.ProcessActivity
Message: Received rtam message for process C:\Program Files\Google\Chrome\Application\chrome.exe(6300) create status(0) session Id(1) sandboxed appliction(0) store appliction(0) subsystem application (0)

 

See also: Agent Advanced Settings

Powered by Wolken Software