Step 1: Gather Relevant Background Information

• Date/Time performance issue started occurring (did any change precede the start of it?)
• Actions being performed when performance is degraded
• Is the performance associated with a specific application? (If yes, what is the application name?).
• Does the vendor of the application have a recommended exclusion list and has it been implemented?
• Any paths/processes known to be associated with the application
• Are there any blocks seen locally or within the App Control console during the performance issue?
• Are results the same if the Agent is stopped and unloaded?
  • Start and Stop The Agent Via Local Command Line / Terminal
• What is the time difference with Agent stopped & unloaded vs fully operational (enabled)?

Step 2: Gather the Logs

Windows

1. Open an administrative command prompt
2. Issue the commands:

   cd "C:\Program Files (x86)\Bit9\Parity Agent"
   dascli password GlobalCLIPassword
   dascli setconfigprop max_rolling_trace_size_mb=0
   dascli resetcounters
   dascli flushlogs
   dascli tamperprotect 0
   dascli debuglevel 6
   dascli kerneltrace 4 -1
   dascli nettrace 1
   dascli diagnostics +performance

3. Start a Procmon capture
   • Collect a ProcMon Capture
4. Collect 5-10 mins of data during the ongoing performance issue.
5. Stop the Procmon capture and save "All Events" as a PML file.
6. In the administrative command prompt execute the following commands to capture and reduce the logging levels to normal:

   dascli capture "%userprofile%\Desktop\%computername%-Performance.zip"
   dascli password GlobalCLIPassword
   dascli setconfigprop max_rolling_trace_size_mb=50
   dascli debuglevel 0
   dascli kerneltrace 2
   dascli nettrace 0
   dascli diagnostics -performance
   dascli tamperprotect 1

7. Upload all collected data.

macOS

1. Open Terminal
2. Issue the commands:

   cd /Applications/Bit9/Tools
   ./b9cli --password 'GlobalCLIPassword'
   ./b9cli --resetcounters
   ./b9cli --flushlogs
   ./b9cli --debuglevel 4
   ./b9cli --kerneltrace 4
   ./b9cli --nettrace 1

3. Open the macOS Activity Monitor (Applications > Utilities > Activity Monitor).
4. Click View > Update Frequency > Often (2 sec)
5. Collect 5-10 mins of data during the ongoing performance issue.
6. Return to Activity Monitor, and double click the process with the performance issue. Click Sample.
7. Once the Sample completes choose "Save" to export the results.
8. In Terminal, capture the Agent Logs and return logging to defaults:

   ./b9cli --capture ~/Desktop/`Hostname`-PerformanceLogs.zip
   ./b9cli --password 'GlobalCLIPassword'
   ./b9cli --debuglevel 0
   ./b9cli --kerneltrace 2
   ./b9cli --nettrace 0

9. Collect System Logs

   system_profiler -detailLevel full > ~/Desktop/sysinfo.txt
   tar -cvf ~/Desktop/`hostname`-DiagnosticReports.tar /Library/Logs/DiagnosticReports

10. Upload all collected data.

Linux

1. 1. Open Terminal and issue the following commands:

      cd /opt/bit9/bin
      ./b9cli --password GlobalCLIPassword
      ./b9cli --resetcounters
      ./b9cli --flushlogs
      ./b9cli --debuglevel 4
      ./b9cli --kerneltrace 4
      ./b9cli --nettrace 1
      

   2. Collect 5-10 minutes of data during the ongoing performance issues.
   3. Download the attached "cbp-linux-sys-info.sh" script.
   4. Extract and execute the script.
      • If the endpoint is in a Medium or High Enforcement Policy the "cbp-linux-sys-info.sh" script will need to be granted an Approval prior to execution.
      • If the execution of the script gives you an invalid character output, you may need to clean the sh file by running the command below, then executing the script again:

        cat cbp-linux-sys-info.sh | col -bf > cbp-linux-sys-info.sh

   5. Once completed, collect the resulting "/tmp/cbp-linux-sys-info.tgz" file.
   6. Take a snapshot of the running b9daemon process using the gcore command (gcore is included with gdb which you may need to install).

      gcore 'pidof b9daemon'

   7. Capture and stop debug logging:

      sudo ./b9cli --capture /var/tmp/$HOSTNAME-PerformanceLogs.zip
      ./b9cli --password GlobalCLIPassword
      ./b9cli --debuglevel 0
      ./b9cli --kerneltrace 2
      ./b9cli --nettrace 0
      

   8. Collect the System Logs.

      sudo tar cvfz /var/tmp/$HOSTNAME-SystemLogs.tgz /var/log

   9. After collection has completed, stop the Agent
      • Start and Stop The Agent Via Local Command Line / Terminal
   10. Reproduce issue again with the TOP command:

       top -c -n 10 -d 5 >> /var/tmp/$HOSTNAME-top_output.txt
       

   11. While the Agent is shutdown & unloaded, collect a FAPREDEP capture.
       • Run The FAPREDEP Script
   12. Upload all collected data.